# Zero Trust # Devices ## List devices (deprecated) **get** `/accounts/{account_id}/devices` List WARP devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices - GET /accounts/{account_id}/devices/registrations ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of Device` - `id: optional string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `created: optional string` When the device was created. - `deleted: optional boolean` True if the device was deleted. - `device_type: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `ip: optional string` IPv4 or IPv6 address. - `key: optional string` The device's public key. - `last_seen: optional string` When the device last connected to Cloudflare services. - `mac_address: optional string` The device mac address. - `manufacturer: optional string` The device manufacturer name. - `model: optional string` The device model name. - `name: optional string` The device name. - `os_distro_name: optional string` The Linux distro name. - `os_distro_revision: optional string` The Linux distro revision. - `os_version: optional string` The operating system version. - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `revoked_at: optional string` When the device was revoked. - `serial_number: optional string` The device serial number. - `updated: optional string` When the device was updated. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `version: optional string` The WARP client version. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "manufacturer": "My phone corp", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_distro_name": "ubuntu", "os_distro_revision": "1.0.0", "os_version": "10.0.0", "os_version_extra": "(a) or 6889 or Ubuntu 24.04", "revoked_at": "2017-06-14T00:00:00Z", "serial_number": "EXAMPLEHMD6R", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device (deprecated) **get** `/accounts/{account_id}/devices/{device_id}` Fetches a single WARP device. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated**: please use one of the following endpoints instead: - GET /accounts/{account_id}/devices/physical-devices/{device_id} - GET /accounts/{account_id}/devices/registrations/{registration_id} ### Path Parameters - `account_id: string` - `device_id: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id, account, created, 16 more }` - `id: optional string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `account: optional { id, account_type, name }` - `id: optional string` - `account_type: optional string` - `name: optional string` The name of the enrolled account. - `created: optional string` When the device was created. - `deleted: optional boolean` True if the device was deleted. - `device_type: optional string` - `gateway_device_id: optional string` - `ip: optional string` IPv4 or IPv6 address. - `key: optional string` The device's public key. - `key_type: optional string` Type of the key. - `last_seen: optional string` When the device last connected to Cloudflare services. - `mac_address: optional string` The device mac address. - `model: optional string` The device model name. - `name: optional string` The device name. - `os_version: optional string` The operating system version. - `serial_number: optional string` The device serial number. - `tunnel_type: optional string` Type of the tunnel connection used. - `updated: optional string` When the device was updated. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `version: optional string` The WARP client version. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/$DEVICE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "account": { "id": "id", "account_type": "account_type", "name": "Company" }, "created": "2017-06-14T00:00:00Z", "deleted": true, "device_type": "windows", "gateway_device_id": "PD33E90AXfafe14643cbbbc-4a0ed4fc8415Q", "ip": "1.1.1.1", "key": "yek0SUYoOQ10vMGsIYAevozXUQpQtNFJFfFGqER/BGc=", "key_type": "curve25519", "last_seen": "2017-06-14T00:00:00Z", "mac_address": "00-00-5E-00-53-00", "model": "MyPhone(pro-X)", "name": "My mobile device", "os_version": "10.0.0", "serial_number": "EXAMPLEHMD6R", "tunnel_type": "masque", "updated": "2017-06-14T00:00:00Z", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "version": "1.0.0" }, "success": true } ``` ## Domain Types ### Device - `Device { id, created, deleted, 17 more }` - `id: optional string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `created: optional string` When the device was created. - `deleted: optional boolean` True if the device was deleted. - `device_type: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `ip: optional string` IPv4 or IPv6 address. - `key: optional string` The device's public key. - `last_seen: optional string` When the device last connected to Cloudflare services. - `mac_address: optional string` The device mac address. - `manufacturer: optional string` The device manufacturer name. - `model: optional string` The device model name. - `name: optional string` The device name. - `os_distro_name: optional string` The Linux distro name. - `os_distro_revision: optional string` The Linux distro revision. - `os_version: optional string` The operating system version. - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `revoked_at: optional string` When the device was revoked. - `serial_number: optional string` The device serial number. - `updated: optional string` When the device was updated. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `version: optional string` The WARP client version. ### Device Get Response - `DeviceGetResponse { id, account, created, 16 more }` - `id: optional string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). - `account: optional { id, account_type, name }` - `id: optional string` - `account_type: optional string` - `name: optional string` The name of the enrolled account. - `created: optional string` When the device was created. - `deleted: optional boolean` True if the device was deleted. - `device_type: optional string` - `gateway_device_id: optional string` - `ip: optional string` IPv4 or IPv6 address. - `key: optional string` The device's public key. - `key_type: optional string` Type of the key. - `last_seen: optional string` When the device last connected to Cloudflare services. - `mac_address: optional string` The device mac address. - `model: optional string` The device model name. - `name: optional string` The device name. - `os_version: optional string` The operating system version. - `serial_number: optional string` The device serial number. - `tunnel_type: optional string` Type of the tunnel connection used. - `updated: optional string` When the device was updated. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `version: optional string` The WARP client version. # Devices ## List devices **get** `/accounts/{account_id}/devices/physical-devices` Lists WARP devices. ### Path Parameters - `account_id: string` ### Query Parameters - `id: optional array of string` Filter by a one or more device IDs. - `active_registrations: optional "include" or "only" or "exclude"` Include or exclude devices with active registrations. The default is "only" - return only devices with active registrations. - `"include"` - `"only"` - `"exclude"` - `cursor: optional string` Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `include: optional string` Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". - `last_seen_user: optional { email }` - `email: optional string` Filter by the last seen user's email. - `per_page: optional number` The maximum number of devices to return in a single response. - `search: optional string` Search by device details. - `seen_after: optional string` Filter by the last_seen timestamp - returns only devices last seen after this timestamp. - `seen_before: optional string` Filter by the last_seen timestamp - returns only devices last seen before this timestamp. - `sort_by: optional "name" or "id" or "client_version" or 4 more` The device field to order results by. - `"name"` - `"id"` - `"client_version"` - `"last_seen_user.email"` - `"last_seen_at"` - `"active_registrations"` - `"created_at"` - `sort_order: optional "asc" or "desc"` Sort direction. - `"asc"` - `"desc"` ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: array of { id, active_registrations, created_at, 16 more }` - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version: optional string` Version of the WARP client. - `deleted_at: optional string` The RFC3339 timestamp when the device was deleted. - `device_type: optional string` The device operating system. - `hardware_id: optional string` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: optional { policy }` The last seen registration for the device. - `policy: optional { id, default, deleted, 2 more }` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: optional { id, email, name }` The last user to use the WARP device. - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `mac_address: optional string` The device MAC address. - `manufacturer: optional string` The device manufacturer. - `model: optional string` The model name of the device. - `os_version: optional string` The device operating system version number. - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: optional string` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: optional string` The device serial number. - `success: boolean` Whether the API call was successful. - `result_info: optional { count, cursor, per_page, total_count }` V4 public API Pagination/Cursor info. - `count: number` Number of records in the response. - `cursor: string` Opaque token to request the next set of records. - `per_page: number` The limit for the number of records in the response. - `total_count: optional number` Total number of records available. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/physical-devices \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" } ], "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Get device **get** `/accounts/{account_id}/devices/physical-devices/{device_id}` Fetches a single WARP device. ### Path Parameters - `account_id: string` - `device_id: string` ### Query Parameters - `include: optional string` Comma-separated list of additional information that should be included in the device response. Supported values are: "last_seen_registration.policy". ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: { id, active_registrations, created_at, 16 more }` A WARP Device. - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version: optional string` Version of the WARP client. - `deleted_at: optional string` The RFC3339 timestamp when the device was deleted. - `device_type: optional string` The device operating system. - `hardware_id: optional string` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: optional { policy }` The last seen registration for the device. - `policy: optional { id, default, deleted, 2 more }` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: optional { id, email, name }` The last user to use the WARP device. - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `mac_address: optional string` The device MAC address. - `manufacturer: optional string` The device manufacturer. - `model: optional string` The model name of the device. - `os_version: optional string` The device operating system version number. - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: optional string` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: optional string` The device serial number. - `success: boolean` Whether the API call was successful. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/physical-devices/$DEVICE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "fc9ab6ab-3b94-4319-9941-459462b3d73e", "active_registrations": 1, "created_at": "2025-02-14T13:17:00Z", "last_seen_at": "2025-02-14T13:17:00Z", "name": "My Device", "updated_at": "2025-02-14T13:17:00Z", "client_version": "1.0.0", "deleted_at": "2025-02-14T13:17:00Z", "device_type": "linux", "hardware_id": "hardware_id", "last_seen_registration": { "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" } }, "last_seen_user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" }, "mac_address": "f5:01:73:cf:12:23", "manufacturer": "ACME", "model": "Mark VII", "os_version": "os_version", "os_version_extra": "os_version_extra", "public_ip": "1.1.1.1", "serial_number": "ABS765ASD8A" }, "success": true } ``` ## Delete device **delete** `/accounts/{account_id}/devices/physical-devices/{device_id}` Deletes a WARP device. ### Path Parameters - `account_id: string` - `device_id: string` ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `success: boolean` Whether the API call was successful. - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/physical-devices/$DEVICE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Revoke device registrations **post** `/accounts/{account_id}/devices/physical-devices/{device_id}/revoke` Revokes all WARP registrations associated with the specified device. ### Path Parameters - `account_id: string` - `device_id: string` ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `success: boolean` Whether the API call was successful. - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/physical-devices/$DEVICE_ID/revoke \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Domain Types ### Device List Response - `DeviceListResponse { id, active_registrations, created_at, 16 more }` A WARP Device. - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version: optional string` Version of the WARP client. - `deleted_at: optional string` The RFC3339 timestamp when the device was deleted. - `device_type: optional string` The device operating system. - `hardware_id: optional string` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: optional { policy }` The last seen registration for the device. - `policy: optional { id, default, deleted, 2 more }` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: optional { id, email, name }` The last user to use the WARP device. - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `mac_address: optional string` The device MAC address. - `manufacturer: optional string` The device manufacturer. - `model: optional string` The model name of the device. - `os_version: optional string` The device operating system version number. - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: optional string` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: optional string` The device serial number. ### Device Get Response - `DeviceGetResponse { id, active_registrations, created_at, 16 more }` A WARP Device. - `id: string` The unique ID of the device. - `active_registrations: number` The number of active registrations for the device. Active registrations are those which haven't been revoked or deleted. - `created_at: string` The RFC3339 timestamp when the device was created. - `last_seen_at: string` The RFC3339 timestamp when the device was last seen. - `name: string` The name of the device. - `updated_at: string` The RFC3339 timestamp when the device was last updated. - `client_version: optional string` Version of the WARP client. - `deleted_at: optional string` The RFC3339 timestamp when the device was deleted. - `device_type: optional string` The device operating system. - `hardware_id: optional string` A string that uniquely identifies the hardware or virtual machine (VM). - `last_seen_registration: optional { policy }` The last seen registration for the device. - `policy: optional { id, default, deleted, 2 more }` A summary of the device profile evaluated for the registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `last_seen_user: optional { id, email, name }` The last user to use the WARP device. - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `mac_address: optional string` The device MAC address. - `manufacturer: optional string` The device manufacturer. - `model: optional string` The model name of the device. - `os_version: optional string` The device operating system version number. - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `public_ip: optional string` **Deprecated**: IP information is provided by DEX - see https://developers.cloudflare.com/api/resources/zero_trust/subresources/dex/subresources/fleet_status/subresources/devices/methods/list/ - `serial_number: optional string` The device serial number. ### Device Delete Response - `DeviceDeleteResponse = unknown` ### Device Revoke Response - `DeviceRevokeResponse = unknown` # Resilience # Global WARP Override ## Retrieve Global WARP override state **get** `/accounts/{account_id}/devices/resilience/disconnect` Fetch the Global WARP override state. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { disconnect, timestamp }` - `disconnect: optional boolean` Disconnects all devices on the account using Global WARP override. - `timestamp: optional string` When the Global WARP override state was updated. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/resilience/disconnect \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` ## Set Global WARP override state **post** `/accounts/{account_id}/devices/resilience/disconnect` Sets the Global WARP override state. ### Path Parameters - `account_id: string` ### Body Parameters - `disconnect: boolean` Disconnects all devices on the account using Global WARP override. - `justification: optional string` Reasoning for setting the Global WARP override state. This will be surfaced in the audit log. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { disconnect, timestamp }` - `disconnect: optional boolean` Disconnects all devices on the account using Global WARP override. - `timestamp: optional string` When the Global WARP override state was updated. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/resilience/disconnect \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "disconnect": false, "justification": "Turning off WARP for testing purposes." }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disconnect": false, "timestamp": "1970-01-01T00:00:00.000Z" }, "success": true } ``` ## Domain Types ### Global WARP Override Get Response - `GlobalWARPOverrideGetResponse { disconnect, timestamp }` - `disconnect: optional boolean` Disconnects all devices on the account using Global WARP override. - `timestamp: optional string` When the Global WARP override state was updated. ### Global WARP Override Create Response - `GlobalWARPOverrideCreateResponse { disconnect, timestamp }` - `disconnect: optional boolean` Disconnects all devices on the account using Global WARP override. - `timestamp: optional string` When the Global WARP override state was updated. # Registrations ## List registrations **get** `/accounts/{account_id}/devices/registrations` Lists WARP registrations. ### Path Parameters - `account_id: string` ### Query Parameters - `id: optional array of string` Filter by registration ID. - `cursor: optional string` Opaque token indicating the starting position when requesting the next set of records. A cursor value can be obtained from the result_info.cursor field in the response. - `device: optional { id }` - `id: optional string` Filter by WARP device ID. - `include: optional string` Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". - `per_page: optional number` The maximum number of devices to return in a single response. - `search: optional string` Filter by registration details. - `seen_after: optional string` Filter by the last_seen timestamp - returns only registrations last seen after this timestamp. - `seen_before: optional string` Filter by the last_seen timestamp - returns only registrations last seen before this timestamp. - `sort_by: optional "id" or "user.name" or "user.email" or 2 more` The registration field to order results by. - `"id"` - `"user.name"` - `"user.email"` - `"last_seen_at"` - `"created_at"` - `sort_order: optional "asc" or "desc"` Sort direction. - `"asc"` - `"desc"` - `status: optional "active" or "all" or "revoked"` Filter by registration status. Defaults to 'active'. - `"active"` - `"all"` - `"revoked"` - `user: optional { id }` - `id: optional array of string` Filter by user ID. ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: array of { id, created_at, device, 9 more }` - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: { id, name, client_version }` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version: optional string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at: optional string` The RFC3339 timestamp when the registration was deleted. - `key_type: optional string` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: optional { id, default, deleted, 2 more }` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: optional string` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: optional string` Type of the tunnel - wireguard or masque. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `success: boolean` Whether the API call was successful. - `result_info: optional { count, cursor, per_page, total_count }` V4 public API Pagination/Cursor info. - `count: number` Number of records in the response. - `cursor: string` Opaque token to request the next set of records. - `per_page: number` The limit for the number of records in the response. - `total_count: optional number` Total number of records available. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [], "messages": [], "result": [ { "created_at": "2025-02-14T13:17:00Z", "deleted_at": null, "device": { "client_version": "1.0.0", "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device" }, "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "key_type": "secp256r1", "last_seen_at": "2025-02-14T13:17:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-14T13:17:00Z", "user": { "email": "alice@example.org", "id": "30323c1f-318d-4ec9-92c7-5a8c4d25c4fc", "name": "Alice" } }, { "created_at": "2025-02-15T10:20:00Z", "deleted_at": null, "device": { "client_version": "1.0.1", "id": "43bb1515-8902-50b5-aa01-a88686192467", "name": "Bob's Laptop" }, "id": "22eedc7a-4a1d-5417-c5b3-f73a983c277b", "key": "V/RSP61StXgfmLHJG5umHEonHfvxtz57LDIs6PziXr11Stegm56nhrRBvFK7DP1ZsLzUm0GVg6jC1cxZS4h5FFGFJiju7kGbrgNsCNCT77juw0IRYlS0QpjgLR==", "key_type": "secp256r1", "last_seen_at": "2025-02-15T10:25:00Z", "revoked_at": null, "tunnel_type": "masque", "updated_at": "2025-02-15T10:25:00Z", "user": { "email": "bob@example.com", "id": "41434d2a-429e-5fd0-a3d8-6b9d5e36d5ad", "name": "Bob" } } ], "result_info": { "count": 2, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null }, "success": true } ``` ## Get registration **get** `/accounts/{account_id}/devices/registrations/{registration_id}` Fetches a single WARP registration. ### Path Parameters - `account_id: string` - `registration_id: string` ### Query Parameters - `include: optional string` Comma-separated list of additional information that should be included in the registration response. Supported values are: "policy". ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: { id, created_at, device, 9 more }` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: { id, name, client_version }` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version: optional string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at: optional string` The RFC3339 timestamp when the registration was deleted. - `key_type: optional string` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: optional { id, default, deleted, 2 more }` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: optional string` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: optional string` Type of the tunnel - wireguard or masque. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. - `success: boolean` Whether the API call was successful. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations/$REGISTRATION_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "created_at": "2025-02-14T13:17:00Z", "device": { "id": "32aa0404-78f1-49a4-99e0-97f575081356", "name": "My Device", "client_version": "1.0.0" }, "key": "U+QTP50RsWfeLGHF4tlGDnmGeuwtsz46KCHr5OyhWq00Rsdfl45mgnQAuEJ6CO0YrkyTl9FUf5iB0bwYR3g4EEFEHhtu6jFaqfMrBMBSz6itv9HQXkaR9OieKQ==", "last_seen_at": "2025-02-14T13:17:00Z", "updated_at": "2025-02-14T13:17:00Z", "deleted_at": "2025-02-14T13:17:00Z", "key_type": "secp256r1", "policy": { "id": "11ffb86f-3f0c-4306-b4a2-e62f872b166a", "default": true, "deleted": true, "name": "name", "updated_at": "2025-02-14T13:17:00Z" }, "revoked_at": "2025-02-14T13:17:00Z", "tunnel_type": "masque", "user": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "user@example.com", "name": "John Appleseed" } }, "success": true } ``` ## Delete registration **delete** `/accounts/{account_id}/devices/registrations/{registration_id}` Deletes a WARP registration. ### Path Parameters - `account_id: string` - `registration_id: string` ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `success: boolean` Whether the API call was successful. - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations/$REGISTRATION_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "success": true, "result": {} } ``` ## Delete registrations **delete** `/accounts/{account_id}/devices/registrations` Deletes a list of WARP registrations. ### Path Parameters - `account_id: string` ### Query Parameters - `id: array of string` A list of registration IDs to delete. ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: unknown` - `success: boolean` Whether the API call was successful. - `result_info: optional { count, cursor, per_page, total_count }` V4 public API Pagination/Cursor info. - `count: number` Number of records in the response. - `cursor: string` Opaque token to request the next set of records. - `per_page: number` The limit for the number of records in the response. - `total_count: optional number` Total number of records available. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Revoke registrations **post** `/accounts/{account_id}/devices/registrations/revoke` Revokes a list of WARP registrations. ### Path Parameters - `account_id: string` ### Query Parameters - `id: array of string` A list of registration IDs to revoke. ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: unknown` - `success: boolean` Whether the API call was successful. - `result_info: optional { count, cursor, per_page, total_count }` V4 public API Pagination/Cursor info. - `count: number` Number of records in the response. - `cursor: string` Opaque token to request the next set of records. - `per_page: number` The limit for the number of records in the response. - `total_count: optional number` Total number of records available. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations/revoke \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Unrevoke registrations **post** `/accounts/{account_id}/devices/registrations/unrevoke` Unrevokes a list of WARP registrations. ### Path Parameters - `account_id: string` ### Query Parameters - `id: array of string` A list of registration IDs to unrevoke. ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: unknown` - `success: boolean` Whether the API call was successful. - `result_info: optional { count, cursor, per_page, total_count }` V4 public API Pagination/Cursor info. - `count: number` Number of records in the response. - `cursor: string` Opaque token to request the next set of records. - `per_page: number` The limit for the number of records in the response. - `total_count: optional number` Total number of records available. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations/unrevoke \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": {}, "success": true, "result_info": { "count": 1, "cursor": "ais86dftf.asdf7ba8", "per_page": 10, "total_count": null } } ``` ## Domain Types ### Registration List Response - `RegistrationListResponse { id, created_at, device, 9 more }` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: { id, name, client_version }` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version: optional string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at: optional string` The RFC3339 timestamp when the registration was deleted. - `key_type: optional string` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: optional { id, default, deleted, 2 more }` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: optional string` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: optional string` Type of the tunnel - wireguard or masque. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. ### Registration Get Response - `RegistrationGetResponse { id, created_at, device, 9 more }` A WARP configuration tied to a single user. Multiple registrations can be created from a single WARP device. - `id: string` The ID of the registration. - `created_at: string` The RFC3339 timestamp when the registration was created. - `device: { id, name, client_version }` Device details embedded inside of a registration. - `id: string` The ID of the device. - `name: string` The name of the device. - `client_version: optional string` Version of the WARP client. - `key: string` The public key used to connect to the Cloudflare network. - `last_seen_at: string` The RFC3339 timestamp when the registration was last seen. - `updated_at: string` The RFC3339 timestamp when the registration was last updated. - `deleted_at: optional string` The RFC3339 timestamp when the registration was deleted. - `key_type: optional string` The type of encryption key used by the WARP client for the active key. Currently 'curve25519' for WireGuard and 'secp256r1' for MASQUE. - `policy: optional { id, default, deleted, 2 more }` The device settings profile assigned to this registration. - `id: string` The ID of the device settings profile. - `default: boolean` Whether the device settings profile is the default profile for the account. - `deleted: boolean` Whether the device settings profile was deleted. - `name: string` The name of the device settings profile. - `updated_at: string` The RFC3339 timestamp of when the device settings profile last changed for the registration. - `revoked_at: optional string` The RFC3339 timestamp when the registration was revoked. - `tunnel_type: optional string` Type of the tunnel - wireguard or masque. - `user: optional { id, email, name }` - `id: optional string` UUID. - `email: optional string` The contact email address of the user. - `name: optional string` The enrolled device user's name. ### Registration Delete Response - `RegistrationDeleteResponse = unknown` ### Registration Bulk Delete Response - `RegistrationBulkDeleteResponse = unknown` ### Registration Revoke Response - `RegistrationRevokeResponse = unknown` ### Registration Unrevoke Response - `RegistrationUnrevokeResponse = unknown` # DEX Tests ## List Device DEX tests **get** `/accounts/{account_id}/dex/devices/dex_tests` Fetch all DEX tests ### Path Parameters - `account_id: string` ### Query Parameters - `kind: optional "http" or "traceroute"` Filter by test type - `"http"` - `"traceroute"` - `page: optional number` Page number of paginated results - `per_page: optional number` Number of items per page - `testName: optional string` Filter by test name ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/devices/dex_tests \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } ``` ## Get Device DEX test **get** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Fetch a single DEX test. ### Path Parameters - `account_id: string` - `dex_test_id: string` The unique identifier for the test. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/devices/dex_tests/$DEX_TEST_ID \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Create Device DEX test **post** `/accounts/{account_id}/dex/devices/dex_tests` Create a DEX test. ### Path Parameters - `account_id: string` ### Body Parameters - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/devices/dex_tests \ -H 'Content-Type: application/json' \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \ -d '{ "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Update Device DEX test **put** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Update a DEX test. ### Path Parameters - `account_id: string` - `dex_test_id: string` API Resource UUID tag. ### Body Parameters - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/devices/dex_tests/$DEX_TEST_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \ -d '{ "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } } ``` ## Delete Device DEX test **delete** `/accounts/{account_id}/dex/devices/dex_tests/{dex_test_id}` Delete a Device DEX test. Returns the remaining device dex tests for the account. ### Path Parameters - `account_id: string` - `dex_test_id: string` API Resource UUID tag. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { dex_tests }` - `dex_tests: optional array of { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/devices/dex_tests/$DEX_TEST_ID \ -X DELETE \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dex_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "interval": "30m", "name": "HTTP dash health check", "description": "Checks the dash endpoint every 30 minutes", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "test_id": "372e67954025e0ba6aaa6d586b9e0b59" } ] } } ``` ## Domain Types ### Schema Data - `SchemaData { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: optional string` The desired endpoint to test. - `kind: optional string` The type of test. - `method: optional string` The HTTP request method type. ### Schema HTTP - `SchemaHTTP { data, enabled, interval, 5 more }` - `data: SchemaData` The configuration object which contains the details for the WARP client to conduct the test. - `host: optional string` The desired endpoint to test. - `kind: optional string` The type of test. - `method: optional string` The HTTP request method type. - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` Device settings profiles targeted by this test. - `id: optional string` The id of the device settings profile. - `default: optional boolean` Whether the profile is the account default. - `name: optional string` The name of the device settings profile. - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### DEX Test List Response - `DEXTestListResponse { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### DEX Test Get Response - `DEXTestGetResponse { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### DEX Test Create Response - `DEXTestCreateResponse { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### DEX Test Update Response - `DEXTestUpdateResponse { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. ### DEX Test Delete Response - `DEXTestDeleteResponse { dex_tests }` - `dex_tests: optional array of { data, enabled, interval, 5 more }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` Determines whether or not the test is active. - `interval: string` How often the test will run. - `name: string` The name of the DEX test. Must be unique. - `description: optional string` Additional details about the test. - `target_policies: optional array of { id, default, name }` DEX rules targeted by this test - `id: string` API Resource UUID tag. - `default: optional boolean` Whether the DEX rule is the account default - `name: optional string` The name of the DEX rule - `targeted: optional boolean` - `test_id: optional string` The unique identifier for the test. # IP Profiles ## List IP profiles **get** `/accounts/{account_id}/devices/ip-profiles` Lists WARP Device IP profiles. ### Path Parameters - `account_id: string` ### Query Parameters - `per_page: optional number` The number of IP profiles to return per page. ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: array of IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. - `success: boolean` Whether the API call was successful. - `result_info: optional { count, page, per_page, 2 more }` - `count: number` Number of records in the response. - `page: number` The page size number of the response. - `per_page: number` The limit for the number of records in the response. - `total_count: number` Total number of records available. - `total_pages: optional number` Total number of pages available. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/ip-profiles \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 10, "total_count": 10, "total_pages": 1 } } ``` ## Get IP profile **get** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Fetches a single WARP Device IP profile. ### Path Parameters - `account_id: string` - `profile_id: string` ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. - `success: boolean` Whether the API call was successful. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/ip-profiles/$PROFILE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Create IP profile **post** `/accounts/{account_id}/devices/ip-profiles` Creates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Path Parameters - `account_id: string` ### Body Parameters - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `description: optional string` An optional description of the Device IP profile. - `enabled: optional boolean` Whether the Device IP profile will be applied to matching devices. ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. - `success: boolean` Whether the API call was successful. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/ip-profiles \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "match": "identity.email == \\"test@cloudflare.com\\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "description": "example comment", "enabled": true }' ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Update IP profile **patch** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Updates a WARP Device IP profile. Currently, only IPv4 Device subnets can be associated. ### Path Parameters - `account_id: string` - `profile_id: string` ### Body Parameters - `description: optional string` An optional description of the Device IP profile. - `enabled: optional boolean` Whether the Device IP profile is enabled. - `match: optional string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: optional string` A user-friendly name for the Device IP profile. - `precedence: optional number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: optional string` The ID of the Subnet. ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: IPProfile` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. - `success: boolean` Whether the API call was successful. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/ip-profiles/$PROFILE_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "description": "example comment", "enabled": true, "match": "identity.email == \\"test@cloudflare.com\\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }' ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "created_at": "2025-02-14T13:17:00.123456789Z", "description": "example comment", "enabled": true, "match": "identity.email == \"test@cloudflare.com\"", "name": "IPv4 Cloudflare Source IPs", "precedence": 100, "subnet_id": "b70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "updated_at": "2025-02-14T13:17:00.123456789Z" }, "success": true } ``` ## Delete IP profile **delete** `/accounts/{account_id}/devices/ip-profiles/{profile_id}` Delete a WARP Device IP profile. ### Path Parameters - `account_id: string` - `profile_id: string` ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: { id }` - `id: optional string` ID of the deleted Device IP profile. - `success: boolean` Whether the API call was successful. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/ip-profiles/$PROFILE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### IP Profile - `IPProfile { id, created_at, description, 6 more }` - `id: string` The ID of the Device IP profile. - `created_at: string` The RFC3339Nano timestamp when the Device IP profile was created. - `description: string` An optional description of the Device IP profile. - `enabled: boolean` Whether the Device IP profile is enabled. - `match: string` The wirefilter expression to match registrations. Available values: "identity.name", "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.saml_attributes". - `name: string` A user-friendly name for the Device IP profile. - `precedence: number` The precedence of the Device IP profile. Lower values indicate higher precedence. Device IP profile will be evaluated in ascending order of this field. - `subnet_id: string` The ID of the Subnet. - `updated_at: string` The RFC3339Nano timestamp when the Device IP profile was last updated. ### IP Profile Delete Response - `IPProfileDeleteResponse { id }` - `id: optional string` ID of the deleted Device IP profile. # Networks ## List your device managed networks **get** `/accounts/{account_id}/devices/networks` Fetches a list of managed networks for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of DeviceNetwork` - `config: optional { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: optional string` The name of the device managed network. This name must be unique. - `network_id: optional string` API UUID. - `type: optional "tls"` The type of device managed network. - `"tls"` - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/networks \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device managed network details **get** `/accounts/{account_id}/devices/networks/{network_id}` Fetches details for a single managed network. ### Path Parameters - `account_id: string` - `network_id: string` API UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DeviceNetwork` - `config: optional { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: optional string` The name of the device managed network. This name must be unique. - `network_id: optional string` API UUID. - `type: optional "tls"` The type of device managed network. - `"tls"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/networks/$NETWORK_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Create a device managed network **post** `/accounts/{account_id}/devices/networks` Creates a new device managed network. ### Path Parameters - `account_id: string` ### Body Parameters - `config: { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: string` The name of the device managed network. This name must be unique. - `type: "tls"` The type of device managed network. - `"tls"` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DeviceNetwork` - `config: optional { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: optional string` The name of the device managed network. This name must be unique. - `network_id: optional string` API UUID. - `type: optional "tls"` The type of device managed network. - `"tls"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/networks \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "type": "tls" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Update a device managed network **put** `/accounts/{account_id}/devices/networks/{network_id}` Updates a configured device managed network. ### Path Parameters - `account_id: string` - `network_id: string` API UUID. ### Body Parameters - `config: optional { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: optional string` The name of the device managed network. This name must be unique. - `type: optional "tls"` The type of device managed network. - `"tls"` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DeviceNetwork` - `config: optional { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: optional string` The name of the device managed network. This name must be unique. - `network_id: optional string` API UUID. - `type: optional "tls"` The type of device managed network. - `"tls"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/networks/$NETWORK_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "type": "tls" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" }, "success": true } ``` ## Delete a device managed network **delete** `/accounts/{account_id}/devices/networks/{network_id}` Deletes a device managed network and fetches a list of the remaining device managed networks for an account. ### Path Parameters - `account_id: string` - `network_id: string` API UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of DeviceNetwork` - `config: optional { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: optional string` The name of the device managed network. This name must be unique. - `network_id: optional string` API UUID. - `type: optional "tls"` The type of device managed network. - `"tls"` - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/networks/$NETWORK_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "config": { "tls_sockaddr": "foo.bar:1234", "sha256": "b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c" }, "name": "managed-network-1", "network_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "type": "tls" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Device Network - `DeviceNetwork { config, name, network_id, type }` - `config: optional { tls_sockaddr, sha256 }` The configuration object containing information for the WARP client to detect the managed network. - `tls_sockaddr: string` A network address of the form "host:port" that the WARP client will use to detect the presence of a TLS host. - `sha256: optional string` The SHA-256 hash of the TLS certificate presented by the host found at tls_sockaddr. If absent, regular certificate verification (trusted roots, valid timestamp, etc) will be used to validate the certificate. - `name: optional string` The name of the device managed network. This name must be unique. - `network_id: optional string` API UUID. - `type: optional "tls"` The type of device managed network. - `"tls"` # Fleet Status ## Get the live status of a latest device **get** `/accounts/{account_id}/dex/devices/{device_id}/fleet-status/live` Get the live status of a latest device given device_id from the device_state table ### Path Parameters - `account_id: string` - `device_id: string` Device-specific ID, given as UUID v4 ### Query Parameters - `since_minutes: number` Number of minutes before current time - `colo: optional string` List of data centers to filter results - `time_now: optional string` Number of minutes before current time ### Returns - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn: optional boolean` - `batteryCharging: optional boolean` - `batteryCycles: optional number` - `batteryPct: optional number` - `connectionType: optional string` - `cpuPct: optional number` - `cpuPctByApp: optional array of array of { cpu_pct, name }` - `cpu_pct: optional number` - `name: optional string` - `deviceIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceName: optional string` Device identifier (human readable) - `diskReadBps: optional number` - `diskUsagePct: optional number` - `diskWriteBps: optional number` - `dohSubdomain: optional string` - `estimatedLossPct: optional number` - `firewallEnabled: optional boolean` - `gatewayIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `gatewayIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `handshakeLatencyMs: optional number` - `ispIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `ispIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `metal: optional string` - `networkRcvdBps: optional number` - `networkSentBps: optional number` - `networkSsid: optional string` - `personEmail: optional string` User contact email address - `ramAvailableKb: optional number` - `ramUsedPct: optional number` - `ramUsedPctByApp: optional array of array of { name, ram_used_pct }` - `name: optional string` - `ram_used_pct: optional number` - `switchLocked: optional boolean` - `wifiStrengthDbm: optional number` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/devices/$DEVICE_ID/fleet-status/live \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ``` ## Domain Types ### Fleet Status Get Response - `FleetStatusGetResponse { colo, deviceId, mode, 35 more }` - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn: optional boolean` - `batteryCharging: optional boolean` - `batteryCycles: optional number` - `batteryPct: optional number` - `connectionType: optional string` - `cpuPct: optional number` - `cpuPctByApp: optional array of array of { cpu_pct, name }` - `cpu_pct: optional number` - `name: optional string` - `deviceIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceName: optional string` Device identifier (human readable) - `diskReadBps: optional number` - `diskUsagePct: optional number` - `diskWriteBps: optional number` - `dohSubdomain: optional string` - `estimatedLossPct: optional number` - `firewallEnabled: optional boolean` - `gatewayIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `gatewayIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `handshakeLatencyMs: optional number` - `ispIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `ispIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `metal: optional string` - `networkRcvdBps: optional number` - `networkSentBps: optional number` - `networkSsid: optional string` - `personEmail: optional string` User contact email address - `ramAvailableKb: optional number` - `ramUsedPct: optional number` - `ramUsedPctByApp: optional array of array of { name, ram_used_pct }` - `name: optional string` - `ram_used_pct: optional number` - `switchLocked: optional boolean` - `wifiStrengthDbm: optional number` # Policies ## Domain Types ### Device Policy Certificates - `DevicePolicyCertificates { enabled }` - `enabled: boolean` The current status of the device policy certificate provisioning feature for WARP clients. ### Fallback Domain - `FallbackDomain { suffix, description, dns_server }` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. ### Fallback Domain Policy - `FallbackDomainPolicy = array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. ### Settings Policy - `SettingsPolicy { allow_mode_switch, allow_updates, allowed_to_leave, 24 more }` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy is the default policy for an account. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: optional string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: optional string` The name of the device settings profile. - `policy_id: optional string` - `precedence: optional number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: optional array of { id, name }` - `id: optional string` The id of the DEX test targeting this policy. - `name: optional string` The name of the DEX test targeting this policy. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. ### Split Tunnel Exclude - `SplitTunnelExclude = { address, description } or { host, description }` - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. ### Split Tunnel Include - `SplitTunnelInclude = { address, description } or { host, description }` - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. # Default ## Get the default device settings profile **get** `/accounts/{account_id}/devices/policy` Fetches the default device settings profile for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { allow_mode_switch, allow_updates, allowed_to_leave, 16 more }` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update the default device settings profile **patch** `/accounts/{account_id}/devices/policy` Updates the default device settings profile for an account. ### Path Parameters - `account_id: string` ### Body Parameters - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { allow_mode_switch, allow_updates, allowed_to_leave, 16 more }` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "captive_portal": 180, "disable_auto_fallback": true, "exclude_office_ips": true, "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "register_interface_ip_with_dns": true, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": true, "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }, "success": true } ``` ## Domain Types ### Default Get Response - `DefaultGetResponse { allow_mode_switch, allow_updates, allowed_to_leave, 16 more }` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. ### Default Edit Response - `DefaultEditResponse { allow_mode_switch, allow_updates, allowed_to_leave, 16 more }` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy will be applied to matching devices. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. # Excludes ## Get the Split Tunnel exclude list **get** `/accounts/{account_id}/devices/policy/exclude` Fetches the list of routes excluded from the WARP client's tunnel. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelExclude` - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/exclude \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list **put** `/accounts/{account_id}/devices/policy/exclude` Sets the list of routes excluded from the WARP client's tunnel. ### Path Parameters - `account_id: string` ### Body Parameters - `body: array of SplitTunnelExclude` - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelExclude` - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/exclude \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list **get** `/accounts/{account_id}/devices/policy/include` Fetches the list of routes included in the WARP client's tunnel. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelInclude` - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/include \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list **put** `/accounts/{account_id}/devices/policy/include` Sets the list of routes included in the WARP client's tunnel. ### Path Parameters - `account_id: string` ### Body Parameters - `body: array of SplitTunnelInclude` - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelInclude` - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/include \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get your Local Domain Fallback list **get** `/accounts/{account_id}/devices/policy/fallback_domains` Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/fallback_domains \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set your Local Domain Fallback list **put** `/accounts/{account_id}/devices/policy/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. ### Path Parameters - `account_id: string` ### Body Parameters - `domains: array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/fallback_domains \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Certificates ## Get device certificate provisioning status **get** `/zones/{zone_id}/devices/policy/certificates` Fetches device certificate provisioning. ### Path Parameters - `zone_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DevicePolicyCertificates` - `enabled: boolean` The current status of the device policy certificate provisioning feature for WARP clients. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/devices/policy/certificates \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` ## Update device certificate provisioning status **patch** `/zones/{zone_id}/devices/policy/certificates` Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session. ### Path Parameters - `zone_id: string` ### Body Parameters - `enabled: boolean` The current status of the device policy certificate provisioning feature for WARP clients. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DevicePolicyCertificates` - `enabled: boolean` The current status of the device policy certificate provisioning feature for WARP clients. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/zones/$ZONE_ID/devices/policy/certificates \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "enabled": true }, "success": true } ``` # Custom ## List device settings profiles **get** `/accounts/{account_id}/devices/policies` Fetches a list of the device settings profiles for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SettingsPolicy` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy is the default policy for an account. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: optional string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: optional string` The name of the device settings profile. - `policy_id: optional string` - `precedence: optional number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: optional array of { id, name }` - `id: optional string` The id of the DEX test targeting this policy. - `name: optional string` The name of the DEX test targeting this policy. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policies \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device settings profile by ID **get** `/accounts/{account_id}/devices/policy/{policy_id}` Fetches a device settings profile by ID. ### Path Parameters - `account_id: string` - `policy_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: SettingsPolicy` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy is the default policy for an account. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: optional string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: optional string` The name of the device settings profile. - `policy_id: optional string` - `precedence: optional number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: optional array of { id, name }` - `id: optional string` The id of the DEX test targeting this policy. - `name: optional string` The name of the DEX test targeting this policy. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Create a device settings profile **post** `/accounts/{account_id}/devices/policy` Creates a device settings profile to be applied to certain devices matching the criteria. ### Path Parameters - `account_id: string` ### Body Parameters - `match: string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: string` The name of the device settings profile. - `precedence: number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: SettingsPolicy` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy is the default policy for an account. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: optional string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: optional string` The name of the device settings profile. - `policy_id: optional string` - `precedence: optional number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: optional array of { id, name }` - `id: optional string` The id of the DEX test targeting this policy. - `name: optional string` The name of the DEX test targeting this policy. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "match": "identity.email == \\"test@cloudflare.com\\"", "name": "Allow Developers", "precedence": 100, "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "captive_portal": 180, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude_office_ips": true, "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "register_interface_ip_with_dns": true, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Update a device settings profile **patch** `/accounts/{account_id}/devices/policy/{policy_id}` Updates a configured device settings profile. ### Path Parameters - `account_id: string` - `policy_id: string` ### Body Parameters - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. Both 'exclude' and 'include' cannot be set in the same request. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: optional string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: optional string` The name of the device settings profile. - `precedence: optional number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: SettingsPolicy` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy is the default policy for an account. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: optional string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: optional string` The name of the device settings profile. - `policy_id: optional string` - `precedence: optional number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: optional array of { id, name }` - `id: optional string` The id of the DEX test targeting this policy. - `name: optional string` The name of the DEX test targeting this policy. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "captive_portal": 180, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude_office_ips": true, "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \\"test@cloudflare.com\\"", "name": "Allow Developers", "precedence": 100, "register_interface_ip_with_dns": true, "support_url": "https://1.1.1.1/help", "switch_locked": true, "tunnel_protocol": "wireguard" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" }, "success": true } ``` ## Delete a device settings profile **delete** `/accounts/{account_id}/devices/policy/{policy_id}` Deletes a device settings profile and fetches a list of the remaining profiles for an account. ### Path Parameters - `account_id: string` - `policy_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SettingsPolicy` - `allow_mode_switch: optional boolean` Whether to allow the user to switch WARP between modes. - `allow_updates: optional boolean` Whether to receive update notifications when a new version of the client is available. - `allowed_to_leave: optional boolean` Whether to allow devices to leave the organization. - `auto_connect: optional number` The amount of time in seconds to reconnect after having been disabled. - `captive_portal: optional number` Turn on the captive portal after the specified amount of time. - `default: optional boolean` Whether the policy is the default policy for an account. - `description: optional string` A description of the policy. - `disable_auto_fallback: optional boolean` If the `dns_server` field of a fallback domain is not present, the client will fall back to a best guess of the default/system DNS resolvers unless this policy option is set to `true`. - `enabled: optional boolean` Whether the policy will be applied to matching devices. - `exclude: optional array of SplitTunnelExclude` List of routes excluded in the WARP client's tunnel. - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `exclude_office_ips: optional boolean` Whether to add Microsoft IPs to Split Tunnel exclusions. - `fallback_domains: optional array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `gateway_unique_id: optional string` - `include: optional array of SplitTunnelInclude` List of routes included in the WARP client's tunnel. - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `lan_allow_minutes: optional number` The amount of time in minutes a user is allowed access to their LAN. A value of 0 will allow LAN access until the next WARP reconnection, such as a reboot or a laptop waking from sleep. Note that this field is omitted from the response if null or unset. - `lan_allow_subnet_size: optional number` The size of the subnet for the local access network. Note that this field is omitted from the response if null or unset. - `match: optional string` The wirefilter expression to match devices. Available values: "identity.email", "identity.groups.id", "identity.groups.name", "identity.groups.email", "identity.service_token_uuid", "identity.saml_attributes", "network", "os.name", "os.version". - `name: optional string` The name of the device settings profile. - `policy_id: optional string` - `precedence: optional number` The precedence of the policy. Lower values indicate higher precedence. Policies will be evaluated in ascending order of this field. - `register_interface_ip_with_dns: optional boolean` Determines if the operating system will register WARP's local interface IP with your on-premises DNS server. - `sccm_vpn_boundary_support: optional boolean` Determines whether the WARP client indicates to SCCM that it is inside a VPN boundary. (Windows only). - `service_mode_v2: optional { mode, port }` - `mode: optional string` The mode to run the WARP client under. - `port: optional number` The port number when used with proxy mode. - `support_url: optional string` The URL to launch when the Send Feedback button is clicked. - `switch_locked: optional boolean` Whether to allow the user to turn off the WARP switch and disconnect the client. - `target_tests: optional array of { id, name }` - `id: optional string` The id of the DEX test targeting this policy. - `name: optional string` The name of the DEX test targeting this policy. - `tunnel_protocol: optional string` Determines which tunnel protocol to use. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "allow_mode_switch": true, "allow_updates": true, "allowed_to_leave": true, "auto_connect": 0, "captive_portal": 180, "default": false, "description": "Policy for test teams.", "disable_auto_fallback": true, "enabled": true, "exclude": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "exclude_office_ips": true, "fallback_domains": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "gateway_unique_id": "699d98642c564d2e855e9661899b7252", "include": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "lan_allow_minutes": 30, "lan_allow_subnet_size": 24, "match": "identity.email == \"test@cloudflare.com\"", "name": "Allow Developers", "policy_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "precedence": 100, "register_interface_ip_with_dns": true, "sccm_vpn_boundary_support": false, "service_mode_v2": { "mode": "proxy", "port": 3000 }, "support_url": "https://1.1.1.1/help", "switch_locked": true, "target_tests": [ { "id": "id", "name": "name" } ], "tunnel_protocol": "wireguard" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Excludes ## Get the Split Tunnel exclude list for a device settings profile **get** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Path Parameters - `account_id: string` - `policy_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelExclude` - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID/exclude \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel exclude list for a device settings profile **put** `/accounts/{account_id}/devices/policy/{policy_id}/exclude` Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile. ### Path Parameters - `account_id: string` - `policy_id: string` ### Body Parameters - `body: array of SplitTunnelExclude` - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelExclude` - `TeamsDevicesExcludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to exclude from the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesExcludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to exclude from the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID/exclude \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Exclude testing domains from the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Includes ## Get the Split Tunnel include list for a device settings profile **get** `/accounts/{account_id}/devices/policy/{policy_id}/include` Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Path Parameters - `account_id: string` - `policy_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelInclude` - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID/include \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Split Tunnel include list for a device settings profile **put** `/accounts/{account_id}/devices/policy/{policy_id}/include` Sets the list of routes included in the WARP client's tunnel for a specific device settings profile. ### Path Parameters - `account_id: string` - `policy_id: string` ### Body Parameters - `body: array of SplitTunnelInclude` - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of SplitTunnelInclude` - `TeamsDevicesIncludeSplitTunnelWithAddress { address, description }` - `address: string` The address in CIDR format to include in the tunnel. If `address` is present, `host` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `TeamsDevicesIncludeSplitTunnelWithHost { host, description }` - `host: string` The domain name to include in the tunnel. If `host` is present, `address` must not be present. - `description: optional string` A description of the Split Tunnel item, displayed in the client UI. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID/include \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "address": "192.0.2.0/24", "description": "Include testing domains in the tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Fallback Domains ## Get the Local Domain Fallback list for a device settings profile **get** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead. ### Path Parameters - `account_id: string` - `policy_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID/fallback_domains \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Set the Local Domain Fallback list for a device settings profile **put** `/accounts/{account_id}/devices/policy/{policy_id}/fallback_domains` Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile. ### Path Parameters - `account_id: string` - `policy_id: string` ### Body Parameters - `domains: array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of FallbackDomain` - `suffix: string` The domain suffix to match when resolving locally. - `description: optional string` A description of the fallback domain, displayed in the client UI. - `dns_server: optional array of string` A list of IP addresses to handle domain resolution. - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy/$POLICY_ID/fallback_domains \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "suffix": "example.com", "description": "Domain bypass for local development", "dns_server": [ "1.1.1.1" ] } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # Posture ## List device posture rules **get** `/accounts/{account_id}/devices/posture` Fetches device posture rules for a Zero Trust account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of DevicePostureRule` - `id: optional string` API UUID. - `description: optional string` The description of the device posture rule. - `expiration: optional string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: optional DeviceInput` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: optional array of DeviceMatch` The conditions that the client must match to run the rule. - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: optional string` The name of the device posture rule. - `schedule: optional string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: optional "file" or "application" or "tanium" or 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture rule details **get** `/accounts/{account_id}/devices/posture/{rule_id}` Fetches a single device posture rule. ### Path Parameters - `account_id: string` - `rule_id: string` API UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DevicePostureRule` - `id: optional string` API UUID. - `description: optional string` The description of the device posture rule. - `expiration: optional string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: optional DeviceInput` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: optional array of DeviceMatch` The conditions that the client must match to run the rule. - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: optional string` The name of the device posture rule. - `schedule: optional string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: optional "file" or "application" or "tanium" or 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/$RULE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Create a device posture rule **post** `/accounts/{account_id}/devices/posture` Creates a new device posture rule. ### Path Parameters - `account_id: string` ### Body Parameters - `name: string` The name of the device posture rule. - `type: "file" or "application" or "tanium" or 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `description: optional string` The description of the device posture rule. - `expiration: optional string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: optional DeviceInput` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: optional array of DeviceMatch` The conditions that the client must match to run the rule. - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `schedule: optional string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DevicePostureRule` - `id: optional string` API UUID. - `description: optional string` The description of the device posture rule. - `expiration: optional string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: optional DeviceInput` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: optional array of DeviceMatch` The conditions that the client must match to run the rule. - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: optional string` The name of the device posture rule. - `schedule: optional string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: optional "file" or "application" or "tanium" or 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Admin Serial Numbers", "type": "file", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "schedule": "1h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Update a device posture rule **put** `/accounts/{account_id}/devices/posture/{rule_id}` Updates a device posture rule. ### Path Parameters - `account_id: string` - `rule_id: string` API UUID. ### Body Parameters - `name: string` The name of the device posture rule. - `type: "file" or "application" or "tanium" or 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `description: optional string` The description of the device posture rule. - `expiration: optional string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: optional DeviceInput` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: optional array of DeviceMatch` The conditions that the client must match to run the rule. - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `schedule: optional string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DevicePostureRule` - `id: optional string` API UUID. - `description: optional string` The description of the device posture rule. - `expiration: optional string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: optional DeviceInput` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: optional array of DeviceMatch` The conditions that the client must match to run the rule. - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: optional string` The name of the device posture rule. - `schedule: optional string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: optional "file" or "application" or "tanium" or 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/$RULE_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Admin Serial Numbers", "type": "file", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "schedule": "1h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "description": "The rule for admin serial numbers", "expiration": "1h", "input": { "operating_system": "linux", "path": "/bin/cat", "exists": true, "sha256": "https://api.us-2.crowdstrike.com", "thumbprint": "0aabab210bdb998e9cf45da2c9ce352977ab531c681b74cf1e487be1bbe9fe6e" }, "match": [ { "platform": "windows" } ], "name": "Admin Serial Numbers", "schedule": "1h", "type": "file" }, "success": true } ``` ## Delete a device posture rule **delete** `/accounts/{account_id}/devices/posture/{rule_id}` Deletes a device posture rule. ### Path Parameters - `account_id: string` - `rule_id: string` API UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id }` - `id: optional string` API UUID. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/$RULE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Carbonblack Input - `CarbonblackInput = string` ### Client Certificate Input - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. ### Crowdstrike Input - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` ### Device Input - `DeviceInput = FileInput or UniqueClientIDInput or DomainJoinedInput or 17 more` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. ### Device Match - `DeviceMatch { platform }` - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` ### Device Posture Rule - `DevicePostureRule { id, description, expiration, 5 more }` - `id: optional string` API UUID. - `description: optional string` The description of the device posture rule. - `expiration: optional string` Sets the expiration time for a posture check result. If empty, the result remains valid until it is overwritten by new data from the WARP client. - `input: optional DeviceInput` The value to be checked against. - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesCarbonblackInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `TeamsDevicesAccessSerialNumberListInputRequest { id }` - `id: string` UUID of Access List. - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. - `TeamsDevicesApplicationInputRequest { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` Path for the application. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. - `ClientCertificateInput { certificate_id, cn }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `cn: string` Common Name that is protected by the certificate. - `TeamsDevicesClientCertificateV2InputRequest { certificate_id, check_private_key, operating_system, 4 more }` - `certificate_id: string` UUID of Cloudflare managed certificate. - `check_private_key: boolean` Confirm the certificate was not imported from another device. We recommend keeping this enabled unless the certificate was deployed without a private key. - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `cn: optional string` Certificate Common Name. This may include one or more variables in the ${ } notation. Only ${serial_number} and ${hostname} are valid variables. - `extended_key_usage: optional array of "clientAuth" or "emailProtection"` List of values indicating purposes for which the certificate public key can be used. - `"clientAuth"` - `"emailProtection"` - `locations: optional { paths, trust_stores }` - `paths: optional array of string` List of paths to check for client certificate on linux. - `trust_stores: optional array of "system" or "user"` List of trust stores to check for client certificate. - `"system"` - `"user"` - `subject_alternative_names: optional array of string` List of certificate Subject Alternative Names. - `TeamsDevicesAntivirusInputRequest { update_window_days }` - `update_window_days: optional number` Number of days that the antivirus should be updated within. - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. - `CrowdstrikeInput { connection_id, last_seen, operator, 6 more }` - `connection_id: string` Posture Integration ID. - `last_seen: optional string` For more details on last seen, please refer to the Crowdstrike documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `os: optional string` Os Version. - `overall: optional string` Overall. - `sensor_config: optional string` SensorConfig. - `state: optional "online" or "offline" or "unknown"` For more details on state, please refer to the Crowdstrike documentation. - `"online"` - `"offline"` - `"unknown"` - `version: optional string` Version. - `versionOperator: optional "<" or "<=" or ">" or 2 more` Version Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `TeamsDevicesCustomS2sInputRequest { connection_id, operator, score }` - `connection_id: string` Posture Integration ID. - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `score: number` A value between 0-100 assigned to devices set by the 3rd party posture provider. - `match: optional array of DeviceMatch` The conditions that the client must match to run the rule. - `platform: optional "windows" or "mac" or "linux" or 3 more` - `"windows"` - `"mac"` - `"linux"` - `"android"` - `"ios"` - `"chromeos"` - `name: optional string` The name of the device posture rule. - `schedule: optional string` Polling frequency for the WARP client posture check. Default: `5m` (poll every five minutes). Minimum: `1m`. - `type: optional "file" or "application" or "tanium" or 20 more` The type of device posture rule. - `"file"` - `"application"` - `"tanium"` - `"gateway"` - `"warp"` - `"disk_encryption"` - `"serial_number"` - `"sentinelone"` - `"carbonblack"` - `"firewall"` - `"os_version"` - `"domain_joined"` - `"client_certificate"` - `"client_certificate_v2"` - `"antivirus"` - `"unique_client_id"` - `"kolide"` - `"tanium_s2s"` - `"crowdstrike_s2s"` - `"intune"` - `"workspace_one"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Disk Encryption Input - `DiskEncryptionInput { checkDisks, requireAll }` - `checkDisks: optional array of CarbonblackInput` List of volume names to be checked for encryption. - `requireAll: optional boolean` Whether to check all disks for encryption. ### Domain Joined Input - `DomainJoinedInput { operating_system, domain }` - `operating_system: "windows"` Operating System. - `"windows"` - `domain: optional string` Domain. ### File Input - `FileInput { operating_system, path, exists, 2 more }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `exists: optional boolean` Whether or not file exists. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. ### Firewall Input - `FirewallInput { enabled, operating_system }` - `enabled: boolean` Enabled. - `operating_system: "windows" or "mac"` Operating System. - `"windows"` - `"mac"` ### Intune Input - `IntuneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown" or 3 more` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `"notapplicable"` - `"ingraceperiod"` - `"error"` - `connection_id: string` Posture Integration ID. ### Kolide Input - `KolideInput { connection_id, countOperator, issue_count }` - `connection_id: string` Posture Integration ID. - `countOperator: "<" or "<=" or ">" or 2 more` Count Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `issue_count: string` The Number of Issues. ### OS Version Input - `OSVersionInput { operating_system, operator, version, 3 more }` - `operating_system: "windows"` Operating System. - `"windows"` - `operator: "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `version: string` Version of OS. - `os_distro_name: optional string` Operating System Distribution Name (linux only). - `os_distro_revision: optional string` Version of OS Distribution (linux only). - `os_version_extra: optional string` Additional operating system version details. For Windows, the UBR (Update Build Revision). For Mac or iOS, the Product Version Extra. For Linux, the distribution name and version. ### Sentinelone Input - `SentineloneInput { operating_system, path, sha256, thumbprint }` - `operating_system: "windows" or "linux" or "mac"` Operating system. - `"windows"` - `"linux"` - `"mac"` - `path: string` File path. - `sha256: optional string` SHA-256. - `thumbprint: optional string` Signing certificate thumbprint. ### Sentinelone S2s Input - `SentineloneS2sInput { connection_id, active_threats, infected, 4 more }` - `connection_id: string` Posture Integration ID. - `active_threats: optional number` The Number of active threats. - `infected: optional boolean` Whether device is infected. - `is_active: optional boolean` Whether device is active. - `network_status: optional "connected" or "disconnected" or "disconnecting" or "connecting"` Network status of device. - `"connected"` - `"disconnected"` - `"disconnecting"` - `"connecting"` - `operational_state: optional "na" or "partially_disabled" or "auto_fully_disabled" or 4 more` Agent operational state. - `"na"` - `"partially_disabled"` - `"auto_fully_disabled"` - `"fully_disabled"` - `"auto_partially_disabled"` - `"disabled_error"` - `"db_corruption"` - `operator: optional "<" or "<=" or ">" or 2 more` Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` ### Tanium Input - `TaniumInput { connection_id, eid_last_seen, operator, 3 more }` - `connection_id: string` Posture Integration ID. - `eid_last_seen: optional string` For more details on eid last seen, refer to the Tanium documentation. - `operator: optional "<" or "<=" or ">" or 2 more` Operator to evaluate risk_level or eid_last_seen. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `risk_level: optional "low" or "medium" or "high" or "critical"` For more details on risk level, refer to the Tanium documentation. - `"low"` - `"medium"` - `"high"` - `"critical"` - `scoreOperator: optional "<" or "<=" or ">" or 2 more` Score Operator. - `"<"` - `"<="` - `">"` - `">="` - `"=="` - `total_score: optional number` For more details on total score, refer to the Tanium documentation. ### Unique Client ID Input - `UniqueClientIDInput { id, operating_system }` - `id: string` List ID. - `operating_system: "android" or "ios" or "chromeos"` Operating System. - `"android"` - `"ios"` - `"chromeos"` ### Workspace One Input - `WorkspaceOneInput { compliance_status, connection_id }` - `compliance_status: "compliant" or "noncompliant" or "unknown"` Compliance Status. - `"compliant"` - `"noncompliant"` - `"unknown"` - `connection_id: string` Posture Integration ID. ### Posture Delete Response - `PostureDeleteResponse { id }` - `id: optional string` API UUID. # Integrations ## List your device posture integrations **get** `/accounts/{account_id}/devices/posture/integration` Fetches the list of device posture integrations for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of Integration` - `id: optional string` API UUID. - `config: optional { api_url, auth_url, client_id }` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: optional string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: optional string` The name of the device posture integration. - `type: optional "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/integration \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get device posture integration details **get** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Fetches details for a single device posture integration. ### Path Parameters - `account_id: string` - `integration_id: string` API UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Integration` - `id: optional string` API UUID. - `config: optional { api_url, auth_url, client_id }` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: optional string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: optional string` The name of the device posture integration. - `type: optional "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/integration/$INTEGRATION_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Create a device posture integration **post** `/accounts/{account_id}/devices/posture/integration` Create a new device posture integration. ### Path Parameters - `account_id: string` ### Body Parameters - `config: { api_url, auth_url, client_id, client_secret } or { api_url, client_id, client_secret, customer_id } or { api_url, client_key, client_secret, customer_id } or 5 more` The configuration object containing third-party integration information. - `TeamsDevicesWorkspaceOneConfigRequest { api_url, auth_url, client_id, client_secret }` - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `client_secret: string` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `TeamsDevicesCrowdstrikeConfigRequest { api_url, client_id, client_secret, customer_id }` - `api_url: string` The Crowdstrike API URL. - `client_id: string` The Crowdstrike client ID. - `client_secret: string` The Crowdstrike client secret. - `customer_id: string` The Crowdstrike customer ID. - `TeamsDevicesUptycsConfigRequest { api_url, client_key, client_secret, customer_id }` - `api_url: string` The Uptycs API URL. - `client_key: string` The Uptycs client secret. - `client_secret: string` The Uptycs client secret. - `customer_id: string` The Uptycs customer ID. - `TeamsDevicesIntuneConfigRequest { client_id, client_secret, customer_id }` - `client_id: string` The Intune client ID. - `client_secret: string` The Intune client secret. - `customer_id: string` The Intune customer ID. - `TeamsDevicesKolideConfigRequest { client_id, client_secret }` - `client_id: string` The Kolide client ID. - `client_secret: string` The Kolide client secret. - `TeamsDevicesTaniumConfigRequest { api_url, client_secret, access_client_id, access_client_secret }` - `api_url: string` The Tanium API URL. - `client_secret: string` The Tanium client secret. - `access_client_id: optional string` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: optional string` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `TeamsDevicesSentineloneS2sConfigRequest { api_url, client_secret }` - `api_url: string` The SentinelOne S2S API URL. - `client_secret: string` The SentinelOne S2S client secret. - `TeamsDevicesCustomS2sConfigRequest { access_client_id, access_client_secret, api_url }` - `access_client_id: string` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: string` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `api_url: string` The Custom Device Posture Integration API URL. - `interval: string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: string` The name of the device posture integration. - `type: "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Integration` - `id: optional string` API UUID. - `config: optional { api_url, auth_url, client_id }` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: optional string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: optional string` The name of the device posture integration. - `type: optional "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/integration \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id", "client_secret": "example client secret" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Update a device posture integration **patch** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Updates a configured device posture integration. ### Path Parameters - `account_id: string` - `integration_id: string` API UUID. ### Body Parameters - `config: optional { api_url, auth_url, client_id, client_secret } or { api_url, client_id, client_secret, customer_id } or { api_url, client_key, client_secret, customer_id } or 5 more` The configuration object containing third-party integration information. - `TeamsDevicesWorkspaceOneConfigRequest { api_url, auth_url, client_id, client_secret }` - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `client_secret: string` The Workspace One client secret provided in the Workspace One Admin Dashboard. - `TeamsDevicesCrowdstrikeConfigRequest { api_url, client_id, client_secret, customer_id }` - `api_url: string` The Crowdstrike API URL. - `client_id: string` The Crowdstrike client ID. - `client_secret: string` The Crowdstrike client secret. - `customer_id: string` The Crowdstrike customer ID. - `TeamsDevicesUptycsConfigRequest { api_url, client_key, client_secret, customer_id }` - `api_url: string` The Uptycs API URL. - `client_key: string` The Uptycs client secret. - `client_secret: string` The Uptycs client secret. - `customer_id: string` The Uptycs customer ID. - `TeamsDevicesIntuneConfigRequest { client_id, client_secret, customer_id }` - `client_id: string` The Intune client ID. - `client_secret: string` The Intune client secret. - `customer_id: string` The Intune customer ID. - `TeamsDevicesKolideConfigRequest { client_id, client_secret }` - `client_id: string` The Kolide client ID. - `client_secret: string` The Kolide client secret. - `TeamsDevicesTaniumConfigRequest { api_url, client_secret, access_client_id, access_client_secret }` - `api_url: string` The Tanium API URL. - `client_secret: string` The Tanium client secret. - `access_client_id: optional string` If present, this id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: optional string` If present, this secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `TeamsDevicesSentineloneS2sConfigRequest { api_url, client_secret }` - `api_url: string` The SentinelOne S2S API URL. - `client_secret: string` The SentinelOne S2S client secret. - `TeamsDevicesCustomS2sConfigRequest { access_client_id, access_client_secret, api_url }` - `access_client_id: string` This id will be passed in the `CF-Access-Client-ID` header when hitting the `api_url`. - `access_client_secret: string` This secret will be passed in the `CF-Access-Client-Secret` header when hitting the `api_url`. - `api_url: string` The Custom Device Posture Integration API URL. - `interval: optional string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: optional string` The name of the device posture integration. - `type: optional "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Integration` - `id: optional string` API UUID. - `config: optional { api_url, auth_url, client_id }` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: optional string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: optional string` The name of the device posture integration. - `type: optional "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/integration/$INTEGRATION_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id", "client_secret": "example client secret" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "config": { "api_url": "https://as123.awmdm.com/API", "auth_url": "https://na.uemauth.workspaceone.com/connect/token", "client_id": "example client id" }, "interval": "10m", "name": "My Workspace One Integration", "type": "workspace_one" }, "success": true } ``` ## Delete a device posture integration **delete** `/accounts/{account_id}/devices/posture/integration/{integration_id}` Delete a configured device posture integration. ### Path Parameters - `account_id: string` - `integration_id: string` API UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: unknown or string` - `unknown` - `string` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/posture/integration/$INTEGRATION_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Integration - `Integration { id, config, interval, 2 more }` - `id: optional string` API UUID. - `config: optional { api_url, auth_url, client_id }` The configuration object containing third-party integration information. - `api_url: string` The Workspace One API URL provided in the Workspace One Admin Dashboard. - `auth_url: string` The Workspace One Authorization URL depending on your region. - `client_id: string` The Workspace One client ID provided in the Workspace One Admin Dashboard. - `interval: optional string` The interval between each posture check with the third-party API. Use `m` for minutes (e.g. `5m`) and `h` for hours (e.g. `12h`). - `name: optional string` The name of the device posture integration. - `type: optional "workspace_one" or "crowdstrike_s2s" or "uptycs" or 5 more` The type of device posture integration. - `"workspace_one"` - `"crowdstrike_s2s"` - `"uptycs"` - `"intune"` - `"kolide"` - `"tanium_s2s"` - `"sentinelone_s2s"` - `"custom_s2s"` ### Integration Delete Response - `IntegrationDeleteResponse = unknown or string` - `unknown` - `string` # Revoke ## Revoke devices (deprecated) **post** `/accounts/{account_id}/devices/revoke` Revokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/revoke instead. ### Path Parameters - `account_id: string` ### Body Parameters - `body: array of string` A list of Registration IDs to revoke. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: unknown or string` - `unknown` - `string` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/revoke \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Revoke Create Response - `RevokeCreateResponse = unknown or string` - `unknown` - `string` # Settings ## Get device settings for a Zero Trust account **get** `/accounts/{account_id}/devices/settings` Describes the current device settings for a Zero Trust account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DeviceSettings` - `disable_for_time: optional number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: optional boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: optional string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: optional string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: optional string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: optional boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: optional boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: optional boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: optional boolean` Enable using CGNAT virtual IPv4. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Update device settings for a Zero Trust account **put** `/accounts/{account_id}/devices/settings` Updates the current device settings for a Zero Trust account. ### Path Parameters - `account_id: string` ### Body Parameters - `disable_for_time: optional number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: optional boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: optional string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: optional string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: optional string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: optional boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: optional boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: optional boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: optional boolean` Enable using CGNAT virtual IPv4. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DeviceSettings` - `disable_for_time: optional number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: optional boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: optional string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: optional string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: optional string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: optional boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: optional boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: optional boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: optional boolean` Enable using CGNAT virtual IPv4. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Patch device settings for a Zero Trust account **patch** `/accounts/{account_id}/devices/settings` Patches the current device settings for a Zero Trust account. ### Path Parameters - `account_id: string` ### Body Parameters - `disable_for_time: optional number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: optional boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: optional string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: optional string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: optional string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: optional boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: optional boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: optional boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: optional boolean` Enable using CGNAT virtual IPv4. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DeviceSettings` - `disable_for_time: optional number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: optional boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: optional string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: optional string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: optional string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: optional boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: optional boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: optional boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: optional boolean` Enable using CGNAT virtual IPv4. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Reset device settings for a Zero Trust account with defaults. This turns off all proxying. **delete** `/accounts/{account_id}/devices/settings` Resets the current device settings for a Zero Trust account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: DeviceSettings` - `disable_for_time: optional number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: optional boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: optional string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: optional string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: optional string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: optional boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: optional boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: optional boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: optional boolean` Enable using CGNAT virtual IPv4. - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/settings \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "disable_for_time": 0, "external_emergency_signal_enabled": true, "external_emergency_signal_fingerprint": "abcd1234567890abcd1234567890abcd1234567890abcd1234567890abcd1234", "external_emergency_signal_interval": "5m", "external_emergency_signal_url": "https://192.0.2.1/signal", "gateway_proxy_enabled": true, "gateway_udp_proxy_enabled": true, "root_certificate_installation_enabled": true, "use_zt_virtual_ip": true }, "success": true } ``` ## Domain Types ### Device Settings - `DeviceSettings { disable_for_time, external_emergency_signal_enabled, external_emergency_signal_fingerprint, 6 more }` - `disable_for_time: optional number` Sets the time limit, in seconds, that a user can use an override code to bypass WARP. - `external_emergency_signal_enabled: optional boolean` Controls whether the external emergency disconnect feature is enabled. - `external_emergency_signal_fingerprint: optional string` The SHA256 fingerprint (64 hexadecimal characters) of the HTTPS server certificate for the external_emergency_signal_url. If provided, the WARP client will use this value to verify the server's identity. The device will ignore any response if the server's certificate fingerprint does not exactly match this value. - `external_emergency_signal_interval: optional string` The interval at which the WARP client fetches the emergency disconnect signal, formatted as a duration string (e.g., "5m", "2m30s", "1h"). Minimum 30 seconds. - `external_emergency_signal_url: optional string` The HTTPS URL from which to fetch the emergency disconnect signal. Must use HTTPS and have an IPv4 or IPv6 address as the host. - `gateway_proxy_enabled: optional boolean` Enable gateway proxy filtering on TCP. - `gateway_udp_proxy_enabled: optional boolean` Enable gateway proxy filtering on UDP. - `root_certificate_installation_enabled: optional boolean` Enable installation of cloudflare managed root certificate. - `use_zt_virtual_ip: optional boolean` Enable using CGNAT virtual IPv4. # Unrevoke ## Unrevoke devices (deprecated) **post** `/accounts/{account_id}/devices/unrevoke` Unrevokes a list of devices. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled. **Deprecated**: please use POST /accounts/{account_id}/devices/registrations/unrevoke instead. ### Path Parameters - `account_id: string` ### Body Parameters - `body: array of string` A list of Registration IDs to unrevoke. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: unknown or string` - `unknown` - `string` - `success: true` Whether the API call was successful. - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/unrevoke \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Unrevoke Create Response - `UnrevokeCreateResponse = unknown or string` - `unknown` - `string` # Override Codes ## Get override codes (deprecated) **get** `/accounts/{account_id}/devices/{device_id}/override_codes` Fetches a one-time use admin override code for a device. This relies on the **Admin Override** setting being enabled in your device configuration. Not supported when [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/) is enabled for the account. **Deprecated:** please use GET /accounts/{account_id}/devices/registrations/{registration_id}/override_codes instead. ### Path Parameters - `account_id: string` - `device_id: string` Registration ID. Equal to Device ID except for accounts which enabled [multi-user mode](https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-multiuser/). ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of unknown` - `success: true` Whether the API call was successful. - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/$DEVICE_ID/override_codes \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ {} ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get override codes **get** `/accounts/{account_id}/devices/registrations/{registration_id}/override_codes` Fetches one-time use admin override codes for a registration. This relies on the **Admin Override** setting being enabled in your device configuration. ### Path Parameters - `account_id: string` - `registration_id: string` ### Returns - `errors: array of { code, message }` - `code: number` - `message: string` - `messages: array of { code, message }` - `code: number` - `message: string` - `result: { disable_for_time }` - `disable_for_time: optional map[string]` - `success: boolean` Whether the API call was successful. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/registrations/$REGISTRATION_ID/override_codes \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 0, "message": "message" } ], "messages": [ { "code": 0, "message": "message" } ], "result": { "disable_for_time": { "foo": "string" } }, "success": true } ``` ## Domain Types ### Override Code List Response - `OverrideCodeListResponse = unknown` ### Override Code Get Response - `OverrideCodeGetResponse { disable_for_time }` - `disable_for_time: optional map[string]` # Identity Providers ## List Access identity providers **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Lists all configured identity providers. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `scim_enabled: optional string` Indicates to Access to only retrieve identity providers that have the System for Cross-Domain Identity Management (SCIM) enabled. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of AzureAD or { config, name, type, 2 more } or { config, name, type, 2 more } or 10 more` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/identity_providers \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access identity provider **get** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Fetches a configured identity provider. ### Path Parameters - `identity_provider_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional IdentityProvider` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin { config, name, type, 2 more }` - `config: { redirect_url }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: optional string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Add an Access identity provider **post** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers` Adds a new identity provider to Access. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `identity_provider: IdentityProvider` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin { config, name, type, 2 more }` - `config: { redirect_url }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: optional string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional IdentityProvider` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin { config, name, type, 2 more }` - `config: { redirect_url }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: optional string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/identity_providers \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "config": {}, "name": "Widget Corps IDP", "type": "onetimepin" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Update an Access identity provider **put** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Updates a configured identity provider. ### Path Parameters - `identity_provider_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `identity_provider: IdentityProvider` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin { config, name, type, 2 more }` - `config: { redirect_url }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: optional string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional IdentityProvider` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin { config, name, type, 2 more }` - `config: { redirect_url }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: optional string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "config": {}, "name": "Widget Corps IDP", "type": "onetimepin" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "config": { "claims": [ "email_verified", "preferred_username", "custom_claim_name" ], "client_id": "", "client_secret": "", "conditional_access_enabled": true, "directory_id": "", "email_claim_name": "custom_claim_name", "prompt": "login", "support_groups": true }, "name": "Widget Corps IDP", "type": "onetimepin", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "scim_config": { "enabled": true, "identity_update_behavior": "automatic", "scim_base_url": "scim_base_url", "seat_deprovision": true, "secret": "secret", "user_deprovision": true } } } ``` ## Delete an Access identity provider **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/identity_providers/{identity_provider_id}` Deletes an identity provider from Access. ### Path Parameters - `identity_provider_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Azure AD - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Generic OAuth Config - `GenericOAuthConfig { client_id, client_secret }` - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret ### Identity Provider - `IdentityProvider = AzureAD or { config, name, type, 2 more } or { config, name, type, 2 more } or 11 more` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnetimepin { config, name, type, 2 more }` - `config: { redirect_url }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `redirect_url: optional string` - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Identity Provider SCIM Config - `IdentityProviderSCIMConfig { enabled, identity_update_behavior, scim_base_url, 3 more }` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. ### Identity Provider Type - `IdentityProviderType = "onetimepin" or "azureAD" or "saml" or 11 more` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` ### Identity Provider List Response - `IdentityProviderListResponse = AzureAD or { config, name, type, 2 more } or { config, name, type, 2 more } or 10 more` - `AzureAD { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 5 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `conditional_access_enabled: optional boolean` Should Cloudflare try to load authentication contexts from your account - `directory_id: optional string` Your Azure directory uuid - `email_claim_name: optional string` The claim name for email in the id_token response. - `prompt: optional "login" or "select_account" or "none"` Indicates the type of user interaction that is required. prompt=login forces the user to enter their credentials on that request, negating single-sign on. prompt=none is the opposite. It ensures that the user isn't presented with any interactive prompt. If the request can't be completed silently by using single-sign on, the Microsoft identity platform returns an interaction_required error. prompt=select_account interrupts single sign-on providing account selection experience listing all the accounts either in session or any remembered account or an option to choose to use a different account altogether. - `"login"` - `"select_account"` - `"none"` - `support_groups: optional boolean` Should Cloudflare try to load groups from your account - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `"onetimepin"` - `"azureAD"` - `"saml"` - `"centrify"` - `"facebook"` - `"github"` - `"google-apps"` - `"google"` - `"linkedin"` - `"oidc"` - `"okta"` - `"onelogin"` - `"pingone"` - `"yandex"` - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `enabled: optional boolean` A flag to enable or disable SCIM for the identity provider. - `identity_update_behavior: optional "automatic" or "reauth" or "no_action"` Indicates how a SCIM event updates a user identity used for policy evaluation. Use "automatic" to automatically update a user's identity and augment it with fields from the SCIM user resource. Use "reauth" to force re-authentication on group membership updates, user identity update will only occur after successful re-authentication. With "reauth" identities will not contain fields from the SCIM user resource. With "no_action" identities will not be changed by SCIM updates in any way and users will not be prompted to reauthenticate. - `"automatic"` - `"reauth"` - `"no_action"` - `scim_base_url: optional string` The base URL of Cloudflare's SCIM V2.0 API endpoint. - `seat_deprovision: optional boolean` A flag to remove a user's seat in Zero Trust when they have been deprovisioned in the Identity Provider. This cannot be enabled unless user_deprovision is also enabled. - `secret: optional string` A read-only token generated when the SCIM integration is enabled for the first time. It is redacted on subsequent requests. If you lose this you will need to refresh it at /access/identity_providers/:idpID/refresh_scim_secret. - `user_deprovision: optional boolean` A flag to enable revoking a user's session in Access and Gateway when they have been deprovisioned in the Identity Provider. - `AccessCentrify { config, name, type, 2 more }` - `config: { centrify_account, centrify_app_id, claims, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `centrify_account: optional string` Your centrify account url - `centrify_app_id: optional string` Your centrify app id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessFacebook { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGitHub { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogle { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, email_claim_name }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessGoogleApps { config, name, type, 2 more }` - `config: { apps_domain, claims, client_id, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `apps_domain: optional string` Your companies TLD - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessLinkedin { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOIDC { config, name, type, 2 more }` - `config: { auth_url, certs_url, claims, 6 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `auth_url: optional string` The authorization_endpoint URL of your IdP - `certs_url: optional string` The jwks_uri endpoint of your IdP to allow the IdP keys to sign the tokens - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `pkce_enabled: optional boolean` Enable Proof Key for Code Exchange (PKCE) - `scopes: optional array of string` OAuth scopes - `token_url: optional string` The token_endpoint URL of your IdP - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOkta { config, name, type, 2 more }` - `config: { authorization_server_id, claims, client_id, 3 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `authorization_server_id: optional string` Your okta authorization server id - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `okta_account: optional string` Your okta account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessOnelogin { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `onelogin_account: optional string` Your OneLogin account url - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessPingone { config, name, type, 2 more }` - `config: { claims, client_id, client_secret, 2 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `claims: optional array of string` Custom claims - `client_id: optional string` Your OAuth Client ID - `client_secret: optional string` Your OAuth Client Secret - `email_claim_name: optional string` The claim name for email in the id_token response. - `ping_env_id: optional string` Your PingOne environment identifier - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessSAML { config, name, type, 2 more }` - `config: { attributes, email_attribute_name, header_attributes, 4 more }` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `attributes: optional array of string` A list of SAML attribute names that will be added to your signed JWT token and can be used in SAML policy rules. - `email_attribute_name: optional string` The attribute name for email in the SAML response. - `header_attributes: optional array of { attribute_name, header_name }` Add a list of attribute names that will be returned in the response header from the Access callback. - `attribute_name: optional string` attribute name from the IDP - `header_name: optional string` header that will be added on the request to the origin - `idp_public_certs: optional array of string` X509 certificate to verify the signature in the SAML authentication response - `issuer_url: optional string` IdP Entity ID or Issuer URL - `sign_request: optional boolean` Sign the SAML authentication request with Access credentials. To verify the signature, use the public key from the Access certs endpoints. - `sso_target_url: optional string` URL to send the SAML authentication requests to - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. - `AccessYandex { config, name, type, 2 more }` - `config: GenericOAuthConfig` The configuration parameters for the identity provider. To view the required parameters for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `name: string` The name of the identity provider, shown to users on the login page. - `type: IdentityProviderType` The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). - `id: optional string` UUID. - `scim_config: optional IdentityProviderSCIMConfig` The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. ### Identity Provider Delete Response - `IdentityProviderDeleteResponse { id }` - `id: optional string` UUID. # SCIM # Groups ## List SCIM Group resources **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/groups` Lists SCIM Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Path Parameters - `account_id: string` Identifier. - `identity_provider_id: string` UUID. ### Query Parameters - `cf_resource_id: optional string` The unique Cloudflare-generated Id of the SCIM Group resource; also known as the "Id". - `idp_resource_id: optional string` The IdP-generated Id of the SCIM Group resource; also known as the "external Id". - `name: optional string` The display name of the SCIM Group resource. - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of ZeroTrustGroup` - `id: optional string` The unique Cloudflare-generated Id of the SCIM resource. - `displayName: optional string` The display name of the SCIM Group resource. - `externalId: optional string` The IdP-generated Id of the SCIM resource. - `meta: optional { created, lastModified }` The metadata of the SCIM resource. - `created: optional string` The timestamp of when the SCIM resource was created. - `lastModified: optional string` The timestamp of when the SCIM resource was last modified. - `schemas: optional array of string` The list of URIs which indicate the attributes contained within a SCIM resource. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/$IDENTITY_PROVIDER_ID/scim/groups \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "displayName": "ALL EMPLOYEES", "externalId": "all_employees", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Users ## List SCIM User resources **get** `/accounts/{account_id}/access/identity_providers/{identity_provider_id}/scim/users` Lists SCIM User resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Path Parameters - `account_id: string` Identifier. - `identity_provider_id: string` UUID. ### Query Parameters - `cf_resource_id: optional string` The unique Cloudflare-generated Id of the SCIM User resource; also known as the "Id". - `email: optional string` The email address of the SCIM User resource. - `idp_resource_id: optional string` The IdP-generated Id of the SCIM User resource; also known as the "external Id". - `name: optional string` The name of the SCIM User resource. - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `username: optional string` The username of the SCIM User resource. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of AccessUser` - `id: optional string` The unique Cloudflare-generated Id of the SCIM resource. - `active: optional boolean` Determines the status of the SCIM User resource. - `displayName: optional string` The name of the SCIM User resource. - `emails: optional array of { primary, type, value }` - `primary: optional boolean` Indicates if the email address is the primary email belonging to the SCIM User resource. - `type: optional string` Indicates the type of the email address. - `value: optional string` The email address of the SCIM User resource. - `externalId: optional string` The IdP-generated Id of the SCIM resource. - `meta: optional { created, lastModified }` The metadata of the SCIM resource. - `created: optional string` The timestamp of when the SCIM resource was created. - `lastModified: optional string` The timestamp of when the SCIM resource was last modified. - `schemas: optional array of string` The list of URIs which indicate the attributes contained within a SCIM resource. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/$IDENTITY_PROVIDER_ID/scim/users \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "active": true, "displayName": "John Smith", "emails": [ { "primary": true, "type": "work", "value": "john.smith@example.com" } ], "externalId": "john_smith", "meta": { "created": "2025-01-01T00:00:00Z", "lastModified": "2025-01-02T00:00:00Z" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` # Organizations ## Get your Zero Trust organization **get** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Returns the configuration for your Zero Trust organization. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Organization` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: optional string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: optional { forbidden, identity_denied }` - `forbidden: optional string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: optional string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: optional boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: optional array of string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: optional boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: optional LoginDesign` - `background_color: optional string` The background color on your login page. - `footer_text: optional string` The text at the bottom of your login page. - `header_text: optional string` The text at the top of your login page. - `logo_path: optional string` The URL of the logo on your login page. - `text_color: optional string` The text color on your login page. - `mfa_config: optional { allowed_authenticators, session_duration }` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: optional boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: optional string` The name of your Zero Trust organization. - `session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: optional string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: optional string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/organizations \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Create your Zero Trust organization **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Sets up a Zero Trust organization for your account or zone. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `auth_domain: string` The unique subdomain assigned to your Zero Trust organization. - `name: string` The name of your Zero Trust organization. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. - `deny_unmatched_requests: optional boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: optional array of string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: optional boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: optional LoginDesign` - `background_color: optional string` The background color on your login page. - `footer_text: optional string` The text at the bottom of your login page. - `header_text: optional string` The text at the top of your login page. - `logo_path: optional string` The URL of the logo on your login page. - `text_color: optional string` The text color on your login page. - `mfa_config: optional { allowed_authenticators, session_duration }` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: optional boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: optional string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: optional string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Organization` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: optional string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: optional { forbidden, identity_denied }` - `forbidden: optional string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: optional string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: optional boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: optional array of string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: optional boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: optional LoginDesign` - `background_color: optional string` The background color on your login page. - `footer_text: optional string` The text at the bottom of your login page. - `header_text: optional string` The text at the top of your login page. - `logo_path: optional string` The URL of the logo on your login page. - `text_color: optional string` The text color on your login page. - `mfa_config: optional { allowed_authenticators, session_duration }` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: optional boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: optional string` The name of your Zero Trust organization. - `session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: optional string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: optional string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/organizations \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "auth_domain": "test.cloudflareaccess.com", "name": "Widget Corps Internal Applications", "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Update your Zero Trust organization **put** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations` Updates the configuration for your Zero Trust organization. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: optional string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: optional { forbidden, identity_denied }` - `forbidden: optional string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: optional string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: optional boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: optional array of string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: optional boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: optional LoginDesign` - `background_color: optional string` The background color on your login page. - `footer_text: optional string` The text at the bottom of your login page. - `header_text: optional string` The text at the top of your login page. - `logo_path: optional string` The URL of the logo on your login page. - `text_color: optional string` The text color on your login page. - `mfa_config: optional { allowed_authenticators, session_duration }` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: optional boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: optional string` The name of your Zero Trust organization. - `session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: optional string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: optional string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Organization` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: optional string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: optional { forbidden, identity_denied }` - `forbidden: optional string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: optional string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: optional boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: optional array of string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: optional boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: optional LoginDesign` - `background_color: optional string` The background color on your login page. - `footer_text: optional string` The text at the bottom of your login page. - `header_text: optional string` The text at the top of your login page. - `logo_path: optional string` The URL of the logo on your login page. - `text_color: optional string` The text color on your login page. - `mfa_config: optional { allowed_authenticators, session_duration }` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: optional boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: optional string` The name of your Zero Trust organization. - `session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: optional string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: optional string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/organizations \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "auth_domain": "test.cloudflareaccess.com", "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_authenticate_via_warp": true, "auth_domain": "test.cloudflareaccess.com", "auto_redirect_to_identity": true, "created_at": "2014-01-01T05:20:00.12345Z", "custom_pages": { "forbidden": "699d98642c564d2e855e9661899b7252", "identity_denied": "699d98642c564d2e855e9661899b7252" }, "deny_unmatched_requests": true, "deny_unmatched_requests_exempted_zone_names": [ "example.com" ], "is_ui_read_only": true, "login_design": { "background_color": "#c5ed1b", "footer_text": "This is an example description.", "header_text": "This is an example description.", "logo_path": "https://example.com/logo.png", "text_color": "#c5ed1b" }, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "session_duration": "24h" }, "mfa_required_for_all_apps": false, "name": "Widget Corps Internal Applications", "session_duration": "24h", "ui_read_only_toggle_reason": "Temporarily turn off the UI read only lock to make a change via the UI", "updated_at": "2014-01-01T05:20:00.12345Z", "user_seat_expiration_inactive_time": "730h", "warp_auth_session_duration": "24h" } } ``` ## Revoke all Access tokens for a user **post** `/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user` Revokes a user's access across all applications. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `devices: optional boolean` When set to `true`, all devices associated with the user will be revoked. ### Body Parameters - `email: string` The email of the user to revoke. - `devices: optional boolean` When set to `true`, all devices associated with the user will be revoked. - `user_uid: optional string` The uuid of the user to revoke. - `warp_session_reauth: optional boolean` When set to `true`, the user will be required to re-authenticate to WARP for all Gateway policies that enforce a WARP client session duration. When `false`, the user’s WARP session will remain active ### Returns - `result: optional true or false` - `true` - `false` - `success: optional true or false` - `true` - `false` ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/organizations/revoke_user \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "email": "test@example.com", "devices": true, "user_uid": "699d98642c564d2e855e9661899b7252", "warp_session_reauth": true }' ``` #### Response ```json { "result": true, "success": true } ``` ## Domain Types ### Login Design - `LoginDesign { background_color, footer_text, header_text, 2 more }` - `background_color: optional string` The background color on your login page. - `footer_text: optional string` The text at the bottom of your login page. - `header_text: optional string` The text at the top of your login page. - `logo_path: optional string` The URL of the logo on your login page. - `text_color: optional string` The text color on your login page. ### Organization - `Organization { allow_authenticate_via_warp, auth_domain, auto_redirect_to_identity, 12 more }` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value. - `auth_domain: optional string` The unique subdomain assigned to your Zero Trust organization. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. - `custom_pages: optional { forbidden, identity_denied }` - `forbidden: optional string` The uid of the custom page to use when a user is denied access after failing a non-identity rule. - `identity_denied: optional string` The uid of the custom page to use when a user is denied access. - `deny_unmatched_requests: optional boolean` Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` array. - `deny_unmatched_requests_exempted_zone_names: optional array of string` Contains zone names to exempt from the `deny_unmatched_requests` feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request. - `is_ui_read_only: optional boolean` Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled. - `login_design: optional LoginDesign` - `background_color: optional string` The background color on your login page. - `footer_text: optional string` The text at the bottom of your login page. - `header_text: optional string` The text at the top of your login page. - `logo_path: optional string` The URL of the logo on your login page. - `text_color: optional string` The text color on your login page. - `mfa_config: optional { allowed_authenticators, session_duration }` Configures multi-factor authentication (MFA) settings for an organization. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `mfa_required_for_all_apps: optional boolean` Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured. - `name: optional string` The name of your Zero Trust organization. - `session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `ui_read_only_toggle_reason: optional string` A description of the reason why the UI read only field is being toggled. - `user_seat_expiration_inactive_time: optional string` The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. - `warp_auth_session_duration: optional string` The amount of time that tokens issued for applications will be valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. ### Organization Revoke Users Response - `OrganizationRevokeUsersResponse = true or false` - `true` - `false` # DOH ## Get your Zero Trust organization DoH settings **get** `/accounts/{account_id}/access/organizations/doh` Returns the DoH settings for your Zero Trust organization. ### Path Parameters - `account_id: string` Identifier. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, client_id, doh_jwt_duration, 3 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: optional string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations/doh \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update your Zero Trust organization DoH settings **put** `/accounts/{account_id}/access/organizations/doh` Updates the DoH settings for your Zero Trust organization. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `doh_jwt_duration: optional string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `service_token_id: optional string` The uuid of the service token you want to use for DoH authentication ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, client_id, doh_jwt_duration, 3 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: optional string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations/doh \ -X PUT \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "doh_jwt_duration": "800h", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### DOH Get Response - `DOHGetResponse { id, client_id, doh_jwt_duration, 3 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: optional string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### DOH Update Response - `DOHUpdateResponse { id, client_id, doh_jwt_duration, 3 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `doh_jwt_duration: optional string` The duration the DoH JWT is valid for. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account. Default expiration is 24h - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. # Seats ## Update a user seat **patch** `/accounts/{account_id}/access/seats` Removes a user from a Zero Trust seat when both `access_seat` and `gateway_seat` are set to false. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `body: array of { access_seat, gateway_seat, seat_uid }` - `access_seat: boolean` True if the seat is part of Access. - `gateway_seat: boolean` True if the seat is part of Gateway. - `seat_uid: string` The unique API identifier for the Zero Trust seat. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of Seat` - `access_seat: optional boolean` True if the seat is part of Access. - `created_at: optional string` - `gateway_seat: optional boolean` True if the seat is part of Gateway. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `updated_at: optional string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/seats \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "access_seat": false, "gateway_seat": false, "seat_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "access_seat": false, "created_at": "2014-01-01T05:20:00.12345Z", "gateway_seat": false, "seat_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Seat - `Seat { access_seat, created_at, gateway_seat, 2 more }` - `access_seat: optional boolean` True if the seat is part of Access. - `created_at: optional string` - `gateway_seat: optional boolean` True if the seat is part of Gateway. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `updated_at: optional string` # Access # AI Controls # Mcp # Portals ## List MCP Portals **get** `/accounts/{account_id}/access/ai-controls/mcp/portals` Lists all MCP portals configured for the account. ### Path Parameters - `account_id: string` ### Query Parameters - `page: optional number` - `per_page: optional number` - `search: optional string` Search by id, name, hostname ### Returns - `result: array of { id, hostname, name, 8 more }` - `id: string` portal id - `hostname: string` - `name: string` - `servers: array of { id, auth_type, hostname, 16 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `updated_prompts: array of map[number or string]` - `number` - `string` - `updated_tools: array of map[number or string]` - `number` - `string` - `created_at: optional string` - `created_by: optional string` - `default_disabled: optional boolean` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `on_behalf: optional boolean` - `status: optional string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": [ { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false } ], "success": true } ``` ## Create a new MCP Portal **post** `/accounts/{account_id}/access/ai-controls/mcp/portals` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Path Parameters - `account_id: string` ### Body Parameters - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `description: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers: optional array of { server_id, default_disabled, on_behalf, 2 more }` - `server_id: string` server id - `default_disabled: optional boolean` - `on_behalf: optional boolean` - `updated_prompts: optional array of { name, alias, description, enabled }` - `name: string` - `alias: optional string` - `description: optional string` - `enabled: optional boolean` - `updated_tools: optional array of { name, alias, description, enabled }` - `name: string` - `alias: optional string` - `description: optional string` - `enabled: optional boolean` ### Returns - `result: { id, hostname, name, 7 more }` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "description": "This is my custom MCP Portal" }' ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Read details of an MCP Portal **get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Read details of an MCP Portal ### Path Parameters - `account_id: string` - `id: string` portal id ### Returns - `result: { id, hostname, name, 8 more }` - `id: string` portal id - `hostname: string` - `name: string` - `servers: array of { id, auth_type, hostname, 16 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `updated_prompts: array of map[number or string]` - `number` - `string` - `updated_tools: array of map[number or string]` - `number` - `string` - `created_at: optional string` - `created_by: optional string` - `default_disabled: optional boolean` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `on_behalf: optional boolean` - `status: optional string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "servers": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "updated_prompts": [ { "foo": 0 } ], "updated_tools": [ { "foo": 0 } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "default_disabled": true, "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "on_behalf": true, "status": "status" } ], "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Update a MCP Portal **put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Updates an MCP portal configuration. ### Path Parameters - `account_id: string` - `id: string` portal id ### Body Parameters - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `description: optional string` - `hostname: optional string` - `name: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `servers: optional array of { server_id, default_disabled, on_behalf, 2 more }` - `server_id: string` server id - `default_disabled: optional boolean` - `on_behalf: optional boolean` - `updated_prompts: optional array of { name, alias, description, enabled }` - `name: string` - `alias: optional string` - `description: optional string` - `enabled: optional boolean` - `updated_tools: optional array of { name, alias, description, enabled }` - `name: string` - `alias: optional string` - `description: optional string` - `enabled: optional boolean` ### Returns - `result: { id, hostname, name, 7 more }` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID \ -X PUT \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Delete a MCP Portal **delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}` Deletes an MCP portal from the account. ### Path Parameters - `account_id: string` - `id: string` portal id ### Returns - `result: { id, hostname, name, 7 more }` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "id": "my-mcp-portal", "hostname": "exmaple.com", "name": "My MCP Portal", "allow_code_mode": true, "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is my custom MCP Portal", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "secure_web_gateway": false }, "success": true } ``` ## Domain Types ### Portal List Response - `PortalListResponse { id, hostname, name, 8 more }` - `id: string` portal id - `hostname: string` - `name: string` - `servers: array of { id, auth_type, hostname, 16 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `updated_prompts: array of map[number or string]` - `number` - `string` - `updated_tools: array of map[number or string]` - `number` - `string` - `created_at: optional string` - `created_by: optional string` - `default_disabled: optional boolean` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `on_behalf: optional boolean` - `status: optional string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Create Response - `PortalCreateResponse { id, hostname, name, 7 more }` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Read Response - `PortalReadResponse { id, hostname, name, 8 more }` - `id: string` portal id - `hostname: string` - `name: string` - `servers: array of { id, auth_type, hostname, 16 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `updated_prompts: array of map[number or string]` - `number` - `string` - `updated_tools: array of map[number or string]` - `number` - `string` - `created_at: optional string` - `created_by: optional string` - `default_disabled: optional boolean` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `on_behalf: optional boolean` - `status: optional string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Update Response - `PortalUpdateResponse { id, hostname, name, 7 more }` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway ### Portal Delete Response - `PortalDeleteResponse { id, hostname, name, 7 more }` - `id: string` portal id - `hostname: string` - `name: string` - `allow_code_mode: optional boolean` Allow remote code execution in Dynamic Workers (beta) - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `modified_at: optional string` - `modified_by: optional string` - `secure_web_gateway: optional boolean` Route outbound MCP traffic through Zero Trust Secure Web Gateway # Servers ## List MCP Servers **get** `/accounts/{account_id}/access/ai-controls/mcp/servers` Lists all MCP portals configured for the account. ### Path Parameters - `account_id: string` ### Query Parameters - `page: optional number` - `per_page: optional number` - `search: optional string` Search by id, name ### Returns - `result: array of { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": [ { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" } ], "success": true } ``` ## Create a new MCP Server **post** `/accounts/{account_id}/access/ai-controls/mcp/servers` Creates a new MCP portal for managing AI tool access through Cloudflare Access. ### Path Parameters - `account_id: string` ### Body Parameters - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `auth_credentials: optional string` - `description: optional string` ### Returns - `result: { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "description": "This is one remote mcp server" }' ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Read the details of a MCP Server **get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Retrieves gateway configuration for MCP portals. ### Path Parameters - `account_id: string` - `id: string` server id ### Returns - `result: { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Update a MCP Server **put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Updates an MCP portal configuration. ### Path Parameters - `account_id: string` - `id: string` server id ### Body Parameters - `auth_credentials: optional string` - `description: optional string` - `name: optional string` ### Returns - `result: { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID \ -X PUT \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Delete a MCP Server **delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}` Deletes an MCP portal from the account. ### Path Parameters - `account_id: string` - `id: string` server id ### Returns - `result: { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": { "id": "my-mcp-server", "auth_type": "unauthenticated", "hostname": "https://example.com/mcp", "name": "My MCP Server", "prompts": [ { "foo": "bar" } ], "tools": [ { "foo": "bar" } ], "created_at": "2019-12-27T18:11:19.117Z", "created_by": "created_by", "description": "This is one remote mcp server", "error": "error", "last_successful_sync": "2019-12-27T18:11:19.117Z", "last_synced": "2019-12-27T18:11:19.117Z", "modified_at": "2019-12-27T18:11:19.117Z", "modified_by": "modified_by", "status": "status" }, "success": true } ``` ## Sync MCP Server Capabilities **post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync` Syncs an MCP server's tool catalog with the portal. ### Path Parameters - `account_id: string` - `id: string` portal id ### Returns - `result: unknown` - `success: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID/sync \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Server List Response - `ServerListResponse { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` ### Server Create Response - `ServerCreateResponse { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` ### Server Read Response - `ServerReadResponse { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` ### Server Update Response - `ServerUpdateResponse { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` ### Server Delete Response - `ServerDeleteResponse { id, auth_type, hostname, 12 more }` - `id: string` server id - `auth_type: "oauth" or "bearer" or "unauthenticated"` - `"oauth"` - `"bearer"` - `"unauthenticated"` - `hostname: string` - `name: string` - `prompts: array of map[unknown]` - `tools: array of map[unknown]` - `created_at: optional string` - `created_by: optional string` - `description: optional string` - `error: optional string` - `last_successful_sync: optional string` - `last_synced: optional string` - `modified_at: optional string` - `modified_by: optional string` - `status: optional string` ### Server Sync Response - `ServerSyncResponse = unknown` # Gateway CA ## List SSH Certificate Authorities (CA) **get** `/accounts/{account_id}/access/gateway_ca` Lists SSH Certificate Authorities (CA). ### Path Parameters - `account_id: string` Identifier. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, public_key }` - `id: optional string` The key ID of this certificate. - `public_key: optional string` The public key of this certificate. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "public_key": "public_key" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Add a new SSH Certificate Authority (CA) **post** `/accounts/{account_id}/access/gateway_ca` Adds a new SSH Certificate Authority (CA). ### Path Parameters - `account_id: string` Identifier. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, public_key }` - `id: optional string` The key ID of this certificate. - `public_key: optional string` The public key of this certificate. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "public_key": "public_key" } } ``` ## Delete an SSH Certificate Authority (CA) **delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}` Deletes an SSH Certificate Authority. ### Path Parameters - `account_id: string` Identifier. - `certificate_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca/$CERTIFICATE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Gateway CA List Response - `GatewayCAListResponse { id, public_key }` - `id: optional string` The key ID of this certificate. - `public_key: optional string` The public key of this certificate. ### Gateway CA Create Response - `GatewayCACreateResponse { id, public_key }` - `id: optional string` The key ID of this certificate. - `public_key: optional string` The public key of this certificate. ### Gateway CA Delete Response - `GatewayCADeleteResponse { id }` - `id: optional string` UUID. # Infrastructure # Targets ## List all targets **get** `/accounts/{account_id}/infrastructure/targets` Lists and sorts an account’s targets. Filters are optional and are ANDed together. ### Path Parameters - `account_id: string` Account identifier ### Query Parameters - `created_after: optional string` Date and time at which the target was created after (inclusive) - `created_before: optional string` Date and time at which the target was created before (inclusive) - `direction: optional "asc" or "desc"` The sorting direction. - `"asc"` - `"desc"` - `hostname: optional string` Hostname of a target - `hostname_contains: optional string` Partial match to the hostname of a target - `ip_like: optional string` Filters for targets whose IP addresses look like the specified string. Supports `*` as a wildcard character - `ip_v4: optional string` IPv4 address of the target - `ip_v6: optional string` IPv6 address of the target - `ips: optional array of string` Filters for targets that have any of the following IP addresses. Specify `ips` multiple times in query parameter to build list of candidates. - `ipv4_end: optional string` Defines an IPv4 filter range's ending value (inclusive). Requires `ipv4_start` to be specified as well. - `ipv4_start: optional string` Defines an IPv4 filter range's starting value (inclusive). Requires `ipv4_end` to be specified as well. - `ipv6_end: optional string` Defines an IPv6 filter range's ending value (inclusive). Requires `ipv6_start` to be specified as well. - `ipv6_start: optional string` Defines an IPv6 filter range's starting value (inclusive). Requires `ipv6_end` to be specified as well. - `modified_after: optional string` Date and time at which the target was modified after (inclusive) - `modified_before: optional string` Date and time at which the target was modified before (inclusive) - `order: optional "hostname" or "created_at"` The field to sort by. - `"hostname"` - `"created_at"` - `page: optional number` Current page in the response - `per_page: optional number` Max amount of entries returned per page - `target_ids: optional array of string` Filters for targets that have any of the following UUIDs. Specify `target_ids` multiple times in query parameter to build list of candidates. - `virtual_network_id: optional string` Private virtual network identifier of the target ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get target **get** `/accounts/{account_id}/infrastructure/targets/{target_id}` Get target ### Path Parameters - `account_id: string` Account identifier - `target_id: string` Target identifier ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/$TARGET_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Create new target **post** `/accounts/{account_id}/infrastructure/targets` Create new target ### Path Parameters - `account_id: string` Account identifier ### Body Parameters - `hostname: string` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "hostname": "infra-access-target", "ip": {} }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Update target **put** `/accounts/{account_id}/infrastructure/targets/{target_id}` Update target ### Path Parameters - `account_id: string` Account identifier - `target_id: string` Target identifier ### Body Parameters - `hostname: string` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/$TARGET_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "hostname": "infra-access-target", "ip": {} }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } } ``` ## Delete target **delete** `/accounts/{account_id}/infrastructure/targets/{target_id}` Delete target ### Path Parameters - `account_id: string` Account identifier - `target_id: string` Target identifier ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/$TARGET_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ## Create new targets **put** `/accounts/{account_id}/infrastructure/targets/batch` Adds one or more targets. ### Path Parameters - `account_id: string` Account identifier ### Body Parameters - `body: array of { hostname, ip }` - `hostname: string` A non-unique field that refers to a target. Case insensitive, maximum length of 255 characters, supports the use of special characters dash and period, does not support spaces, and must start and end with an alphanumeric character. - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/batch \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } } } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-08-24T14:15:22Z", "hostname": "infra-access-target", "ip": { "ipv4": { "ip_addr": "187.26.29.249", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" }, "ipv6": { "ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0", "virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55" } }, "modified_at": "2019-08-24T14:15:22Z" } ] } ``` ## Delete targets (Deprecated) **delete** `/accounts/{account_id}/infrastructure/targets/batch` Removes one or more targets. ### Path Parameters - `account_id: string` Account identifier ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/batch \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ## Delete targets **post** `/accounts/{account_id}/infrastructure/targets/batch_delete` Removes one or more targets. ### Path Parameters - `account_id: string` Account identifier ### Body Parameters - `target_ids: array of string` List of target IDs to bulk delete ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/batch_delete \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "target_ids": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ] }' ``` ## Domain Types ### Target List Response - `TargetListResponse { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Get Response - `TargetGetResponse { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Create Response - `TargetCreateResponse { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Update Response - `TargetUpdateResponse { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified ### Target Bulk Update Response - `TargetBulkUpdateResponse { id, created_at, hostname, 2 more }` - `id: string` Target identifier - `created_at: string` Date and time at which the target was created - `hostname: string` A non-unique field that refers to a target - `ip: { ipv4, ipv6 }` The IPv4/IPv6 address that identifies where to reach a target - `ipv4: optional { ip_addr, virtual_network_id }` The target's IPv4 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `ipv6: optional { ip_addr, virtual_network_id }` The target's IPv6 address - `ip_addr: optional string` IP address of the target - `virtual_network_id: optional string` (optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used. - `modified_at: string` Date and time at which the target was modified # Applications ## List Access applications **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Lists all Access applications in an account or zone. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `aud: optional string` The aud of the app. - `domain: optional string` The domain of the app. - `exact: optional boolean` True for only exact string matches against passed name/domain query parameters. - `name: optional string` The name of the app. - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `search: optional string` Search for apps by other listed query parameters. - `target_attributes: optional string` Target Criteria attributes in key=value format. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Fetches information about an Access application. ### Path Parameters - `app_id: AppID` Identifier. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Add an Access application **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps` Adds a new application to Access. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `body: { domain, type, allow_authenticate_via_warp, 28 more } or { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more } or { domain, type, allow_authenticate_via_warp, 28 more } or 10 more` Contains the targets secured by the application. - `SelfHostedApplication { domain, type, allow_authenticate_via_warp, 28 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more }` - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, allow_authenticate_via_warp, 28 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, allow_authenticate_via_warp, 28 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, allowed_idps, app_launcher_logo_url, 13 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }` - `type: ApplicationType` The application type. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }` - `type: ApplicationType` The application type. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }` - `type: ApplicationType` The application type. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { app_launcher_visible, domain, logo_url, 4 more }` - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, name, policies }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `name: optional string` The name of the application. - `policies: optional array of { decision, include, name, 3 more }` The policies that Access applies to the application. - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access policy. - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `BrowserRDPApplication { domain, target_criteria, type, 29 more }` Contains the targets secured by the application. - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, allow_authenticate_via_warp, allowed_idps, 16 more }` - `type: ApplicationType` The application type. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, allow_authenticate_via_warp, allowed_idps, 17 more }` - `type: ApplicationType` The application type. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "domain": "test.example.com/admin", "type": "self_hosted", "allow_authenticate_via_warp": true, "allow_iframe": true, "app_launcher_visible": true, "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "port_range": "80-90", "type": "private" }, { "cidr": "10.5.0.3/32", "port_range": "80", "type": "private" }, { "hostname": "private-sni.example.com", "type": "private" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "Admin Site", "options_preflight_bypass": true, "path_cookie_attribute": true, "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Update an Access application **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Updates an Access application. ### Path Parameters - `app_id: AppID` Identifier. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `body: { domain, type, allow_authenticate_via_warp, 28 more } or { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more } or { domain, type, allow_authenticate_via_warp, 28 more } or 10 more` Contains the targets secured by the application. - `SelfHostedApplication { domain, type, allow_authenticate_via_warp, 28 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more }` - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, allow_authenticate_via_warp, 28 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, allow_authenticate_via_warp, 28 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, allowed_idps, app_launcher_logo_url, 13 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }` - `type: ApplicationType` The application type. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }` - `type: ApplicationType` The application type. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }` - `type: ApplicationType` The application type. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { app_launcher_visible, domain, logo_url, 4 more }` - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, name, policies }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `name: optional string` The name of the application. - `policies: optional array of { decision, include, name, 3 more }` The policies that Access applies to the application. - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access policy. - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `BrowserRDPApplication { domain, target_criteria, type, 29 more }` Contains the targets secured by the application. - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, allow_authenticate_via_warp, allowed_idps, 16 more }` - `type: ApplicationType` The application type. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, allow_authenticate_via_warp, allowed_idps, 17 more }` - `type: ApplicationType` The application type. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }` The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. - `AccessAppPolicyLink { id, precedence }` A JSON that links a reusable policy to an application. - `id: optional string` The UUID of the policy - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `AccessSchemasUUID = string` The UUID of the policy - `{ id, approval_groups, approval_required, 7 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "domain": "test.example.com/admin", "type": "self_hosted", "allow_authenticate_via_warp": true, "allow_iframe": true, "app_launcher_visible": true, "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "port_range": "80-90", "type": "private" }, { "cidr": "10.5.0.3/32", "port_range": "80", "type": "private" }, { "hostname": "private-sni.example.com", "type": "private" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "Admin Site", "options_preflight_bypass": true, "path_cookie_attribute": true, "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "domain": "test.example.com/admin", "type": "self_hosted", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "allow_authenticate_via_warp": true, "allow_iframe": true, "allowed_idps": [ "699d98642c564d2e855e9661899b7252" ], "app_launcher_visible": true, "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "auto_redirect_to_identity": true, "cors_headers": { "allow_all_headers": true, "allow_all_methods": true, "allow_all_origins": true, "allow_credentials": true, "allowed_headers": [ "string" ], "allowed_methods": [ "GET" ], "allowed_origins": [ "https://example.com" ], "max_age": -1 }, "created_at": "2014-01-01T05:20:00.12345Z", "custom_deny_message": "custom_deny_message", "custom_deny_url": "custom_deny_url", "custom_non_identity_deny_url": "custom_non_identity_deny_url", "custom_pages": [ "699d98642c564d2e855e9661899b7252" ], "destinations": [ { "type": "public", "uri": "test.example.com/admin" }, { "type": "public", "uri": "test.anotherexample.com/staff" }, { "cidr": "10.5.0.0/24", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80-90", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "10.5.0.3/32", "hostname": "hostname", "l4_protocol": "tcp", "port_range": "80", "type": "private", "vnet_id": "vnet_id" }, { "cidr": "cidr", "hostname": "private-sni.example.com", "l4_protocol": "tcp", "port_range": "port_range", "type": "private", "vnet_id": "vnet_id" }, { "mcp_server_id": "mcp-server-1", "type": "via_mcp_server_portal" } ], "enable_binding_cookie": true, "http_only_cookie_attribute": true, "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Admin Site", "oauth_configuration": { "dynamic_client_registration": { "allow_any_on_localhost": true, "allow_any_on_loopback": true, "allowed_uris": [ "https://example.com/callback" ], "enabled": true }, "enabled": true, "grant": { "access_token_lifetime": "5m", "session_duration": "24h" } }, "options_preflight_bypass": true, "path_cookie_attribute": true, "policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "read_service_tokens_from_header": "Authorization", "same_site_cookie_attribute": "strict", "scim_config": { "idp_uid": "idp_uid", "remote_uri": "remote_uri", "authentication": { "password": "password", "scheme": "httpbasic", "user": "user" }, "deactivate_on_delete": true, "enabled": true, "mappings": [ { "schema": "urn:ietf:params:scim:schemas:core:2.0:User", "enabled": true, "filter": "title pr or userType eq \"Intern\"", "operations": { "create": true, "delete": true, "update": true }, "strictness": "strict", "transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])" } ] }, "self_hosted_domains": [ "test.example.com/admin", "test.anotherexample.com/staff" ], "service_auth_401_redirect": true, "session_duration": "24h", "skip_interstitial": true, "tags": [ "engineers" ], "updated_at": "2014-01-01T05:20:00.12345Z", "use_clientless_isolation_app_launcher_url": false } } ``` ## Delete an Access application **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}` Deletes an application from Access. ### Path Parameters - `app_id: AppID` Identifier. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Revoke application tokens **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens` Revokes all tokens issued for an application. ### Path Parameters - `app_id: AppID` Identifier. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `result: optional unknown` - `success: optional true or false` - `true` - `false` ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/revoke_tokens \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "result": {}, "success": true } ``` ## Domain Types ### Allowed Headers - `AllowedHeaders = string` ### Allowed IdPs - `AllowedIdPs = string` The identity providers selected for application. ### Allowed Methods - `AllowedMethods = "GET" or "POST" or "HEAD" or 6 more` - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` ### Allowed Origins - `AllowedOrigins = string` ### App ID - `AppID = string` Identifier. ### Application - `Application = { domain, type, id, 21 more } or { id, allowed_idps, app_launcher_visible, 9 more } or { domain, type, id, 21 more } or 5 more` - `SelfHostedApplication { domain, type, id, 21 more }` - `domain: string` The domain and path that Access will secure. - `type: string` The application type. - `id: optional string` UUID. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of unknown` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of unknown` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `created_at: optional string` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSchemasSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `updated_at: optional string` - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 9 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: optional string` - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `saas_app: optional { auth_type, consumer_service_url, created_at, 8 more } or { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 13 more }` - `AccessSchemasSAMLSaaSApp { auth_type, consumer_service_url, created_at, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `created_at: optional string` - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional map[string]` A mapping from IdP ID to attribute name. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `updated_at: optional string` - `AccessSchemasOIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 13 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `created_at: optional string` - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint. - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `updated_at: optional string` - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `type: optional string` The application type. - `updated_at: optional string` - `BrowserSSHApplication { domain, type, id, 21 more }` - `domain: string` The domain and path that Access will secure. - `type: string` The application type. - `id: optional string` UUID. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of unknown` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of unknown` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `created_at: optional string` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `updated_at: optional string` - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 21 more }` - `domain: string` The domain and path that Access will secure. - `type: string` The application type. - `id: optional string` UUID. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of unknown` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of unknown` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `created_at: optional string` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application. - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `updated_at: optional string` - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 8 more }` - `type: "self_hosted" or "saas" or "ssh" or 6 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: optional string` - `domain: optional string` The domain and path that Access will secure. - `name: optional string` The name of the application. - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 8 more }` - `type: "self_hosted" or "saas" or "ssh" or 6 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: optional string` - `domain: optional string` The domain and path that Access will secure. - `name: optional string` The name of the application. - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 8 more }` - `type: "self_hosted" or "saas" or "ssh" or 6 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `created_at: optional string` - `domain: optional string` The domain and path that Access will secure. - `name: optional string` The name of the application. - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `BookmarkApplication { domain, type, id, 7 more }` - `domain: string` The URL or domain of the bookmark. - `type: string` The application type. - `id: optional string` UUID. - `app_launcher_visible: optional unknown` - `aud: optional string` Audience tag. - `created_at: optional string` - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `scim_config: optional ApplicationSCIMConfig` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `updated_at: optional string` ### Application Policy - `ApplicationPolicy { id, approval_groups, approval_required, 13 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Application SCIM Config - `ApplicationSCIMConfig { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSchemasSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Application Type - `ApplicationType = "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` ### CORS Headers - `CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. ### Decision - `Decision = "allow" or "deny" or "non_identity" or "bypass"` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` ### OIDC SaaS App - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` ### SaaS App Name ID Format - `SaaSAppNameIDFormat = "id" or "email"` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` ### SAML SaaS App - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. ### SCIM Config Authentication HTTP Basic - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. ### SCIM Config Authentication OAuth Bearer Token - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` ### SCIM Config Authentication Oauth2 - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. ### SCIM Config Mapping - `SCIMConfigMapping { schema, enabled, filter, 3 more }` Transformations and filters applied to resources before they are provisioned in the remote SCIM service. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. ### Self Hosted Domains - `SelfHostedDomains = string` A domain that Access will secure. ### Application List Response - `ApplicationListResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Get Response - `ApplicationGetResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Create Response - `ApplicationCreateResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Update Response - `ApplicationUpdateResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more` - `SelfHostedApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: ApplicationType` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `allow_all_headers: optional boolean` Allows all HTTP request headers. - `allow_all_methods: optional boolean` Allows all HTTP request methods. - `allow_all_origins: optional boolean` Allows all origins. - `allow_credentials: optional boolean` When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests. - `allowed_headers: optional array of AllowedHeaders` Allowed HTTP request headers. - `allowed_methods: optional array of AllowedMethods` Allowed HTTP request methods. - `"GET"` - `"POST"` - `"HEAD"` - `"PUT"` - `"DELETE"` - `"CONNECT"` - `"OPTIONS"` - `"TRACE"` - `"PATCH"` - `allowed_origins: optional array of AllowedOrigins` Allowed origins. - `max_age: optional number` The maximum number of seconds the results of a preflight request can be cached. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `password: string` Password used to authenticate with the remote SCIM service. - `scheme: "httpbasic"` The authentication scheme to use when making SCIM requests to this application. - `"httpbasic"` - `user: string` User name used to authenticate with the remote SCIM service. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `token: string` Token used to authenticate with the remote SCIM service. - `scheme: "oauthbearertoken"` The authentication scheme to use when making SCIM requests to this application. - `"oauthbearertoken"` - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `authorization_url: string` URL used to generate the auth code used during token generation. - `client_id: string` Client ID used to authenticate when generating a token for authenticating with the remote SCIM service. - `client_secret: string` Secret used to authenticate when generating a token for authenticating with the remove SCIM service. - `scheme: "oauth2"` The authentication scheme to use when making SCIM requests to this application. - `"oauth2"` - `token_url: string` URL used to generate the token used to authenticate with the remote SCIM service. - `scopes: optional array of string` The authorization scopes to request when generating the token used to authenticate with the remove SCIM service. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `create: optional boolean` Whether or not this mapping applies to create (POST) operations. - `delete: optional boolean` Whether or not this mapping applies to DELETE operations. - `update: optional boolean` Whether or not this mapping applies to update (PATCH/PUT) operations. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `"strict"` - `"passthrough"` - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `saas_app: optional SAMLSaaSApp or OIDCSaaSApp` - `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }` - `auth_type: optional "saml" or "oidc"` Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml" - `"saml"` - `"oidc"` - `consumer_service_url: optional string` The service provider's endpoint that is responsible for receiving and parsing a SAML assertion. - `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }` - `friendly_name: optional string` The SAML FriendlyName of the attribute. - `name: optional string` The name of the attribute. - `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` A globally unique name for an identity or service provider. - `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"` - `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"` - `required: optional boolean` If the attribute is required when building a SAML assertion. - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP attribute. - `name_by_idp: optional array of { idp_id, source_name }` A mapping from IdP ID to attribute name. - `idp_id: optional string` The UID of the IdP. - `source_name: optional string` The name of the IdP provided attribute. - `default_relay_state: optional string` The URL that the user will be redirected to after a successful login for IDP initiated logins. - `idp_entity_id: optional string` The unique identifier for your SaaS application. - `name_id_format: optional SaaSAppNameIDFormat` The format of the name identifier sent to the SaaS application. - `"id"` - `"email"` - `name_id_transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting. - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `saml_attribute_transform_jsonata: optional string` A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object. - `sp_entity_id: optional string` A globally unique name for an identity or service provider. - `sso_endpoint: optional string` The endpoint where your SaaS application will send login requests. - `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }` - `access_token_lifetime: optional string` The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h. - `allow_pkce_without_client_secret: optional boolean` If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used. - `app_launcher_url: optional string` The URL where this applications tile redirects users - `auth_type: optional "saml" or "oidc"` Identifier of the authentication protocol used for the saas app. Required for OIDC. - `"saml"` - `"oidc"` - `client_id: optional string` The application client id - `client_secret: optional string` The application client secret, only returned on POST request. - `custom_claims: optional array of { name, required, scope, source }` - `name: optional string` The name of the claim. - `required: optional boolean` If the claim is required when building an OIDC token. - `scope: optional "groups" or "profile" or "email" or "openid"` The scope of the claim. - `"groups"` - `"profile"` - `"email"` - `"openid"` - `source: optional { name, name_by_idp }` - `name: optional string` The name of the IdP claim. - `name_by_idp: optional map[string]` A mapping from IdP ID to claim name. - `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more` The OIDC flows supported by this application - `"authorization_code"` - `"authorization_code_with_pkce"` - `"refresh_tokens"` - `"hybrid"` - `"implicit"` - `group_filter_regex: optional string` A regex to filter Cloudflare groups returned in ID token and userinfo endpoint - `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }` - `return_access_token_from_authorization_endpoint: optional boolean` If an Access Token should be returned from the OIDC Authorization endpoint - `return_id_token_from_authorization_endpoint: optional boolean` If an ID Token should be returned from the OIDC Authorization endpoint - `public_key: optional string` The Access public certificate that will be used to verify your identity. - `redirect_uris: optional array of string` The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens - `refresh_token_options: optional { lifetime }` - `lifetime: optional string` How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m. - `scopes: optional array of "openid" or "groups" or "email" or "profile"` Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled - `"openid"` - `"groups"` - `"email"` - `"profile"` - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `BrowserSSHApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `BrowserVNCApplication { domain, type, id, 30 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `AppLauncherApplication { type, id, allowed_idps, 15 more }` - `type: "self_hosted" or "saas" or "ssh" or 11 more` The application type. - `"self_hosted"` - `"saas"` - `"ssh"` - `"vnc"` - `"app_launcher"` - `"warp"` - `"biso"` - `"bookmark"` - `"dash_sso"` - `"infrastructure"` - `"rdp"` - `"mcp"` - `"mcp_portal"` - `"proxy_endpoint"` - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_logo_url: optional string` The image URL of the logo shown in the App Launcher header. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `bg_color: optional string` The background color of the App Launcher page. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `footer_links: optional array of { name, url }` The links in the App Launcher footer. - `name: string` The hypertext in the footer link. - `url: string` the hyperlink in the footer link. - `header_bg_color: optional string` The background color of the App Launcher header. - `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }` The design of the App Launcher landing page shown to users when they log in. - `button_color: optional string` The background color of the log in button on the landing page. - `button_text_color: optional string` The color of the text in the log in button on the landing page. - `image_url: optional string` The URL of the image shown on the landing page. - `message: optional string` The message shown on the landing page. - `title: optional string` The title shown on the landing page. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_app_launcher_login_page: optional boolean` Determines when to skip the App Launcher landing page. - `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `domain: optional string` The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `BookmarkApplication { id, app_launcher_visible, aud, 6 more }` - `id: optional string` UUID. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `domain: optional string` The URL or domain of the bookmark. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `type: optional ApplicationType` The application type. - `InfrastructureApplication { target_criteria, type, id, 3 more }` - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "SSH"` The communication protocol your application secures. - `"SSH"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `aud: optional string` Audience tag. - `name: optional string` The name of the application. - `policies: optional array of { id, connection_rules, created_at, 6 more }` - `id: optional string` The UUID of the policy - `connection_rules: optional { ssh }` The rules that define how users may connect to the targets secured by your application. - `ssh: optional { usernames, allow_email_alias }` The SSH-specific rules that define how users may connect to the targets secured by your application. - `usernames: array of string` Contains the Unix usernames that may be used when connecting over SSH. - `allow_email_alias: optional boolean` Enables using Identity Provider email alias as SSH username. - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access policy. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` - `BrowserRDPApplication { domain, target_criteria, type, 31 more }` - `domain: string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `target_criteria: array of { port, protocol, target_attributes }` - `port: number` The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols. - `protocol: "RDP"` The communication protocol your application secures. - `"RDP"` - `target_attributes: map[array of string]` Contains a map of target attribute keys to target attribute values. - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `cors_headers: optional CORSHeaders` - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `enable_binding_cookie: optional boolean` Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `path_cookie_attribute: optional boolean` Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `read_service_tokens_from_header: optional string` Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `self_hosted_domains: optional array of SelfHostedDomains` List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored. - `service_auth_401_redirect: optional boolean` Returns a 401 status code when the request is blocked by a Service Auth policy. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `use_clientless_isolation_app_launcher_url: optional boolean` Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. - `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. - `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }` - `type: ApplicationType` The application type. - `id: optional string` UUID. - `allow_authenticate_via_warp: optional boolean` When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. - `allowed_idps: optional array of AllowedIdPs` The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. - `aud: optional string` Audience tag. - `auto_redirect_to_identity: optional boolean` When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. - `custom_deny_message: optional string` The custom error message shown to a user when they are denied access to the application. - `custom_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. - `custom_non_identity_deny_url: optional string` The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. - `custom_pages: optional array of string` The custom pages that will be displayed when applicable for this application - `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }` List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored. - `PublicDestination { type, uri }` A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition. - `type: optional "public"` - `"public"` - `uri: optional string` The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/). - `PrivateDestination { cidr, hostname, l4_protocol, 3 more }` - `cidr: optional string` The CIDR range of the destination. Single IPs will be computed as /32. - `hostname: optional string` The hostname of the destination. Matches a valid SNI served by an HTTPS origin. - `l4_protocol: optional "tcp" or "udp"` The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match. - `"tcp"` - `"udp"` - `port_range: optional string` The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match. - `type: optional "private"` - `"private"` - `vnet_id: optional string` The VNET ID to match the destination. When omitted, all VNETs will match. - `ViaMcpServerPortalDestination { mcp_server_id, type }` A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal. - `mcp_server_id: optional string` The MCP server id configured in ai-controls. - `type: optional "via_mcp_server_portal"` - `"via_mcp_server_portal"` - `domain: optional string` The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. - `http_only_cookie_attribute: optional boolean` Enables the HttpOnly cookie attribute, which increases security against XSS attacks. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the application. - `oauth_configuration: optional { dynamic_client_registration, enabled, grant }` **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta. - `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }` Settings for OAuth dynamic client registration. - `allow_any_on_localhost: optional boolean` Allows any client with redirect URIs on localhost. - `allow_any_on_loopback: optional boolean` Allows any client with redirect URIs on 127.0.0.1. - `allowed_uris: optional array of string` The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths. - `enabled: optional boolean` Whether dynamic client registration is enabled. - `enabled: optional boolean` Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted. - `grant: optional { access_token_lifetime, session_duration }` Settings for OAuth grant behavior. - `access_token_lifetime: optional string` The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `session_duration: optional string` The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h. - `options_preflight_bypass: optional boolean` Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. - `policies: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `same_site_cookie_attribute: optional string` Sets the SameSite cookie setting, which provides increased security against CSRF attacks. - `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }` Configuration for provisioning to this application via SCIM. This is currently in closed beta. - `idp_uid: string` The UID of the IdP to use as the source for SCIM resources to provision to this application. - `remote_uri: string` The base URI for the application's SCIM-compatible API. - `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }` Multiple authentication schemes - `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }` Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }` Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application. - `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }` Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application. - `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }` Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application. - `client_id: string` Client ID of the Access service token used to authenticate with the remote service. - `client_secret: string` Client secret of the Access service token used to authenticate with the remote service. - `scheme: "access_service_token"` The authentication scheme to use when making SCIM requests to this application. - `"access_service_token"` - `deactivate_on_delete: optional boolean` If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations. - `enabled: optional boolean` Whether SCIM provisioning is turned on for this application. - `mappings: optional array of SCIMConfigMapping` A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned. - `schema: string` Which SCIM resource type this mapping applies to. - `enabled: optional boolean` Whether or not this mapping is enabled. - `filter: optional string` A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application. - `operations: optional { create, delete, update }` Whether or not this mapping applies to creates, updates, or deletes. - `strictness: optional "strict" or "passthrough"` The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target. - `transform_jsonata: optional string` A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application. - `session_duration: optional string` The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. - `tags: optional array of string` The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. ### Application Delete Response - `ApplicationDeleteResponse { id }` - `id: optional string` UUID. ### Application Revoke Tokens Response - `ApplicationRevokeTokensResponse = unknown` # CAs ## List short-lived certificate CAs **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca` Lists short-lived certificate CAs and their public keys. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of CA` - `id: optional string` The ID of the CA. - `aud: optional string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: optional string` The public key to add to your SSH server configuration. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/ca \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a short-lived certificate CA **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Fetches a short-lived certificate CA and its public key. ### Path Parameters - `app_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional CA` - `id: optional string` The ID of the CA. - `aud: optional string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: optional string` The public key to add to your SSH server configuration. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/ca \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Create a short-lived certificate CA **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Generates a new short-lived certificate CA and public key. ### Path Parameters - `app_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional CA` - `id: optional string` The ID of the CA. - `aud: optional string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: optional string` The public key to add to your SSH server configuration. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/ca \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893", "public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org" } } ``` ## Delete a short-lived certificate CA **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca` Deletes a short-lived certificate CA. ### Path Parameters - `app_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` The ID of the CA. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/ca \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9" } } ``` ## Domain Types ### CA - `CA { id, aud, public_key }` - `id: optional string` The ID of the CA. - `aud: optional string` The Application Audience (AUD) tag. Identifies the application associated with the CA. - `public_key: optional string` The public key to add to your SSH server configuration. ### CA Delete Response - `CADeleteResponse { id }` - `id: optional string` The ID of the CA. # User Policy Checks ## Test Access policies **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks` Tests if a specific user has permission to access an application. ### Path Parameters - `app_id: AppID` Identifier. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { app_state, user_identity }` - `app_state: optional { app_uid, aud, hostname, 3 more }` - `app_uid: optional string` UUID. - `aud: optional string` - `hostname: optional string` - `name: optional string` - `policies: optional array of unknown` - `status: optional string` - `user_identity: optional { id, account_id, device_sessions, 8 more }` - `id: optional string` - `account_id: optional string` - `device_sessions: optional unknown` - `email: optional string` - `geo: optional UserPolicyCheckGeo` - `country: optional string` - `iat: optional number` - `is_gateway: optional boolean` - `is_warp: optional boolean` - `name: optional string` - `user_uuid: optional string` UUID. - `version: optional number` ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/user_policy_checks \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "app_state": { "app_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe389", "hostname": "test.com", "name": "Test App", "policies": [ { "decision": "allow", "exclude": [], "include": [ { "_type": "email", "email": "testuser@gmail.com" } ], "precedence": 1, "require": [], "status": "Success" } ], "status": "Success" }, "user_identity": { "id": "1164449231815010287495", "account_id": "41ecfbb341f033e52b46742756aabb8b", "device_sessions": {}, "email": "testuser@gmail.com", "geo": { "country": "US" }, "iat": 0, "is_gateway": false, "is_warp": false, "name": "Test User", "user_uuid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "version": 0 } } } ``` ## Domain Types ### User Policy Check Geo - `UserPolicyCheckGeo { country }` - `country: optional string` ### User Policy Check List Response - `UserPolicyCheckListResponse { app_state, user_identity }` - `app_state: optional { app_uid, aud, hostname, 3 more }` - `app_uid: optional string` UUID. - `aud: optional string` - `hostname: optional string` - `name: optional string` - `policies: optional array of unknown` - `status: optional string` - `user_identity: optional { id, account_id, device_sessions, 8 more }` - `id: optional string` - `account_id: optional string` - `device_sessions: optional unknown` - `email: optional string` - `geo: optional UserPolicyCheckGeo` - `country: optional string` - `iat: optional number` - `is_gateway: optional boolean` - `is_warp: optional boolean` - `name: optional string` - `user_uuid: optional string` UUID. - `version: optional number` # Policies ## List Access application policies **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application. ### Path Parameters - `app_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access application policy **get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application. ### Path Parameters - `app_id: string` UUID. - `policy_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies/$POLICY_ID \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access application policy **post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies` Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array. ### Path Parameters - `app_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ] }, { "approvals_needed": 3, "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "session_duration": "24h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access application policy **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Path Parameters - `app_id: string` UUID. - `policy_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies/$POLICY_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ] }, { "approvals_needed": 3, "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "session_duration": "24h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "precedence": 0, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access application policy **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}` Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint. ### Path Parameters - `app_id: string` UUID. - `policy_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies/$POLICY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Access Device Posture Rule - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. ### Access Rule - `AccessRule = GroupRule or AnyValidServiceTokenRule or { auth_context } or 22 more` Matches an Access group. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` ### Any Valid Service Token Rule - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. ### Authentication Method Rule - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. ### Azure Group Rule - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. ### Certificate Rule - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` ### Country Rule - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. ### Domain Rule - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. ### Email List Rule - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. ### Email Rule - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. ### Everyone Rule - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. ### External Evaluation Rule - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. ### GitHub Organization Rule - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team ### Group Rule - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. ### GSuite Group Rule - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. ### IP List Rule - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. ### IP Rule - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. ### Okta Group Rule - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. ### SAML Group Rule - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. ### Service Token Rule - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. ### Policy List Response - `PolicyListResponse { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Get Response - `PolicyGetResponse { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Create Response - `PolicyCreateResponse { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Update Response - `PolicyUpdateResponse { id, approval_groups, approval_required, 14 more }` - `id: optional string` The UUID of the policy - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy within an app. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Delete Response - `PolicyDeleteResponse { id }` - `id: optional string` UUID. # Policy Tests ## Get the current status of a given Access policy test **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}` Fetches the current status of a given Access policy test. ### Path Parameters - `account_id: string` Identifier. - `policy_test_id: string` The UUID of the policy test. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, percent_approved, percent_blocked, 7 more }` - `id: optional string` The UUID of the policy test. - `percent_approved: optional number` The percentage of (processed) users approved based on policy evaluation results. - `percent_blocked: optional number` The percentage of (processed) users blocked based on policy evaluation results. - `percent_errored: optional number` The percentage of (processed) users errored based on policy evaluation results. - `percent_users_processed: optional number` The percentage of users processed so far (of the entire user base). - `status: optional "blocked" or "processing" or "exceeded time" or "complete"` The status of the policy test. - `"blocked"` - `"processing"` - `"exceeded time"` - `"complete"` - `total_users: optional number` The total number of users in the user base. - `users_approved: optional number` The number of (processed) users approved based on policy evaluation results. - `users_blocked: optional number` The number of (processed) users blocked based on policy evaluation results. - `users_errored: optional number` The number of (processed) users errored based on policy evaluation results. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policy-tests/$POLICY_TEST_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "percent_approved": 25, "percent_blocked": 25, "percent_errored": 25, "percent_users_processed": 50, "status": "complete", "total_users": 20, "users_approved": 5, "users_blocked": 5, "users_errored": 5 } } ``` ## Start Access policy test **post** `/accounts/{account_id}/access/policy-tests` Starts an Access policy test. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `policies: optional array of { decision, include, name, 10 more } or string` - `{ decision, include, name, 10 more }` - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `string` The UUID of the reusable policy you wish to test ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, status }` - `id: optional string` The UUID of the policy test. - `status: optional "success"` The status of the policy test request. - `"success"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policy-tests \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6", "status": "success" } } ``` ## Domain Types ### Policy Test Get Response - `PolicyTestGetResponse { id, percent_approved, percent_blocked, 7 more }` - `id: optional string` The UUID of the policy test. - `percent_approved: optional number` The percentage of (processed) users approved based on policy evaluation results. - `percent_blocked: optional number` The percentage of (processed) users blocked based on policy evaluation results. - `percent_errored: optional number` The percentage of (processed) users errored based on policy evaluation results. - `percent_users_processed: optional number` The percentage of users processed so far (of the entire user base). - `status: optional "blocked" or "processing" or "exceeded time" or "complete"` The status of the policy test. - `"blocked"` - `"processing"` - `"exceeded time"` - `"complete"` - `total_users: optional number` The total number of users in the user base. - `users_approved: optional number` The number of (processed) users approved based on policy evaluation results. - `users_blocked: optional number` The number of (processed) users blocked based on policy evaluation results. - `users_errored: optional number` The number of (processed) users errored based on policy evaluation results. ### Policy Test Create Response - `PolicyTestCreateResponse { id, status }` - `id: optional string` The UUID of the policy test. - `status: optional "success"` The status of the policy test request. - `"success"` # Users ## Get an Access policy test users page **get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}/users` Fetches a single page of user results from an Access policy test. ### Path Parameters - `account_id: string` Identifier. - `policy_test_id: string` The UUID of the policy test. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` - `status: optional "success" or "fail" or "error"` Filter users by their policy evaluation status. - `"success"` - `"fail"` - `"error"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, email, name, status }` Page of processed users. - `id: optional string` UUID. - `email: optional string` The email of the user. - `name: optional string` The name of the user. - `status: optional "approved" or "blocked" or "error"` Policy evaluation result for an individual user. - `"approved"` - `"blocked"` - `"error"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policy-tests/$POLICY_TEST_ID/users \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "email": "jdoe@example.com", "name": "Jane Doe", "status": "approved" } ] } ``` ## Domain Types ### User List Response - `UserListResponse { id, email, name, status }` - `id: optional string` UUID. - `email: optional string` The email of the user. - `name: optional string` The name of the user. - `status: optional "approved" or "blocked" or "error"` Policy evaluation result for an individual user. - `"approved"` - `"blocked"` - `"error"` # Settings ## Update Access application settings **put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Path Parameters - `app_id: AppID` Identifier. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { allow_iframe, skip_interstitial }` - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/settings \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "allow_iframe": true, "skip_interstitial": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` ## Update Access application settings **patch** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings` Updates Access application settings. ### Path Parameters - `app_id: AppID` Identifier. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { allow_iframe, skip_interstitial }` - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/settings \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "allow_iframe": true, "skip_interstitial": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "allow_iframe": true, "skip_interstitial": true } } ``` ## Domain Types ### Setting Update Response - `SettingUpdateResponse { allow_iframe, skip_interstitial }` - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. ### Setting Edit Response - `SettingEditResponse { allow_iframe, skip_interstitial }` - `allow_iframe: optional boolean` Enables loading application content in an iFrame. - `skip_interstitial: optional boolean` Enables automatic authentication through cloudflared. # Certificates ## List mTLS certificates **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Lists all mTLS root certificates. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of Certificate` - `id: optional string` The ID of the application that will use this certificate. - `associated_hostnames: optional array of AssociatedHostnames` The hostnames of the applications that will use this certificate. - `expires_on: optional string` - `fingerprint: optional string` The MD5 fingerprint of the certificate. - `name: optional string` The name of the certificate. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an mTLS certificate **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Fetches a single mTLS certificate. ### Path Parameters - `certificate_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Certificate` - `id: optional string` The ID of the application that will use this certificate. - `associated_hostnames: optional array of AssociatedHostnames` The hostnames of the applications that will use this certificate. - `expires_on: optional string` - `fingerprint: optional string` The MD5 fingerprint of the certificate. - `name: optional string` The name of the certificate. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/$CERTIFICATE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Add an mTLS certificate **post** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates` Adds a new mTLS root certificate to Access. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `certificate: string` The certificate content. - `name: string` The name of the certificate. - `associated_hostnames: optional array of AssociatedHostnames` The hostnames of the applications that will use this certificate. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Certificate` - `id: optional string` The ID of the application that will use this certificate. - `associated_hostnames: optional array of AssociatedHostnames` The hostnames of the applications that will use this certificate. - `expires_on: optional string` - `fingerprint: optional string` The MD5 fingerprint of the certificate. - `name: optional string` The name of the certificate. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "certificate": "-----BEGIN CERTIFICATE-----\\nMIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10\\nDrUtmu/B\\n-----END CERTIFICATE-----", "name": "Allow devs" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an mTLS certificate **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Updates a configured mTLS certificate. ### Path Parameters - `certificate_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `associated_hostnames: array of AssociatedHostnames` The hostnames of the applications that will use this certificate. - `name: optional string` The name of the certificate. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Certificate` - `id: optional string` The ID of the application that will use this certificate. - `associated_hostnames: optional array of AssociatedHostnames` The hostnames of the applications that will use this certificate. - `expires_on: optional string` - `fingerprint: optional string` The MD5 fingerprint of the certificate. - `name: optional string` The name of the certificate. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/$CERTIFICATE_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "associated_hostnames": [ "admin.example.com" ], "name": "Allow devs" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "associated_hostnames": [ "admin.example.com" ], "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91", "name": "Allow devs", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an mTLS certificate **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}` Deletes an mTLS certificate. ### Path Parameters - `certificate_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/$CERTIFICATE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Associated Hostnames - `AssociatedHostnames = string` A fully-qualified domain name (FQDN). ### Certificate - `Certificate { id, associated_hostnames, expires_on, 2 more }` - `id: optional string` The ID of the application that will use this certificate. - `associated_hostnames: optional array of AssociatedHostnames` The hostnames of the applications that will use this certificate. - `expires_on: optional string` - `fingerprint: optional string` The MD5 fingerprint of the certificate. - `name: optional string` The name of the certificate. ### Certificate Delete Response - `CertificateDeleteResponse { id }` - `id: optional string` UUID. # Settings ## List all mTLS hostname settings **get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` List all mTLS hostname settings for this account or zone. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of CertificateSettings` - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/settings \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Update an mTLS certificate's hostname settings **put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings` Updates an mTLS certificate's hostname settings. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `settings: array of CertificateSettings` - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of CertificateSettings` - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/settings \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "settings": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ] }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "china_network": false, "client_certificate_forwarding": true, "hostname": "admin.example.com" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Certificate Settings - `CertificateSettings { china_network, client_certificate_forwarding, hostname }` - `china_network: boolean` Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled. - `client_certificate_forwarding: boolean` Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin. - `hostname: string` The hostname that these settings apply to. # Groups ## List Access groups **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Lists all Access groups. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `name: optional string` The name of the group. - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `search: optional string` Search for groups by other listed query parameters. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access group **get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Fetches a single Access group. ### Path Parameters - `group_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups/$GROUP_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access group **post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups` Creates a new Access group. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access group. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional boolean` Whether this is the default group - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access group **put** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Updates a configured Access group. ### Path Parameters - `group_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access group. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional boolean` Whether this is the default group - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups/$GROUP_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "is_default": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access group **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}` Deletes an Access group. ### Path Parameters - `group_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups/$GROUP_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Zero Trust Group - `ZeroTrustGroup { id, displayName, externalId, 2 more }` - `id: optional string` The unique Cloudflare-generated Id of the SCIM resource. - `displayName: optional string` The display name of the SCIM Group resource. - `externalId: optional string` The IdP-generated Id of the SCIM resource. - `meta: optional { created, lastModified }` The metadata of the SCIM resource. - `created: optional string` The timestamp of when the SCIM resource was created. - `lastModified: optional string` The timestamp of when the SCIM resource was last modified. - `schemas: optional array of string` The list of URIs which indicate the attributes contained within a SCIM resource. ### Group List Response - `GroupListResponse { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Group Get Response - `GroupGetResponse { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Group Create Response - `GroupCreateResponse { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Group Update Response - `GroupUpdateResponse { id, exclude, include, 3 more }` - `id: optional string` UUID. - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `is_default: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `name: optional string` The name of the Access group. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. ### Group Delete Response - `GroupDeleteResponse { id }` - `id: optional string` UUID. # Service Tokens ## List service tokens **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Lists all service tokens. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Query Parameters - `name: optional string` The name of the service token. - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `search: optional string` Search for service tokens by other listed query parameters. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of ServiceToken` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a service token **get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Fetches a single service token. ### Path Parameters - `service_token_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional ServiceToken` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens/$SERVICE_TOKEN_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a service token **post** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens` Generates a new service token. **Note:** This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token. ### Path Parameters - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `name: string` The name of the service token. - `client_secret_version: optional number` A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `previous_client_secret_expires_at: optional string` The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, client_id, client_secret, 2 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: optional string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "CI/CD token", "duration": "60m", "previous_client_secret_expires_at": "2014-01-01T05:20:00.12345Z" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a service token **put** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Updates a configured service token. ### Path Parameters - `service_token_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Body Parameters - `client_secret_version: optional number` A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: optional string` The name of the service token. - `previous_client_secret_expires_at: optional string` The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional ServiceToken` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens/$SERVICE_TOKEN_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "duration": "60m", "name": "CI/CD token", "previous_client_secret_expires_at": "2014-01-01T05:20:00.12345Z" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a service token **delete** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}` Deletes a service token. ### Path Parameters - `service_token_id: string` UUID. - `account_id: optional string` The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. - `zone_id: optional string` The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional ServiceToken` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens/$SERVICE_TOKEN_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Refresh a service token **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh` Refreshes the expiration of a service token. ### Path Parameters - `account_id: string` Identifier. - `service_token_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional ServiceToken` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens/$SERVICE_TOKEN_ID/refresh \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "expires_at": "2014-01-01T05:20:00.12345Z", "last_seen_at": "2014-01-01T05:20:00.12345Z", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate a service token **post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate` Generates a new Client Secret for a service token and revokes the old one. ### Path Parameters - `account_id: string` Identifier. - `service_token_id: string` UUID. ### Body Parameters - `previous_client_secret_expires_at: optional string` The expiration of the previous `client_secret`. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, client_id, client_secret, 2 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: optional string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: optional string` The name of the service token. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens/$SERVICE_TOKEN_ID/rotate \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5", "created_at": "2014-01-01T05:20:00.12345Z", "duration": "60m", "name": "CI/CD token", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Service Token - `ServiceToken { id, client_id, duration, 2 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `expires_at: optional string` - `name: optional string` The name of the service token. ### Service Token Create Response - `ServiceTokenCreateResponse { id, client_id, client_secret, 2 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: optional string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: optional string` The name of the service token. ### Service Token Rotate Response - `ServiceTokenRotateResponse { id, client_id, client_secret, 2 more }` - `id: optional string` The ID of the service token. - `client_id: optional string` The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header. - `client_secret: optional string` The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header. - `duration: optional string` The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). - `name: optional string` The name of the service token. # Bookmarks ## List Bookmark applications **get** `/accounts/{account_id}/access/bookmarks` Lists Bookmark applications. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of Bookmark` - `id: optional string` The unique identifier for the Bookmark application. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `domain: optional string` The domain of the Bookmark application. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the Bookmark application. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a Bookmark application **get** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Fetches a single Bookmark application. ### Path Parameters - `account_id: string` - `bookmark_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Bookmark` - `id: optional string` The unique identifier for the Bookmark application. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `domain: optional string` The domain of the Bookmark application. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the Bookmark application. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Bookmark application **post** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Create a new Bookmark application. ### Path Parameters - `account_id: string` - `bookmark_id: string` UUID. ### Body Parameters - `body: unknown` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Bookmark` - `id: optional string` The unique identifier for the Bookmark application. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `domain: optional string` The domain of the Bookmark application. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the Bookmark application. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Bookmark application **put** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Updates a configured Bookmark application. ### Path Parameters - `account_id: string` - `bookmark_id: string` UUID. ### Body Parameters - `body: unknown` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Bookmark` - `id: optional string` The unique identifier for the Bookmark application. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `domain: optional string` The domain of the Bookmark application. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the Bookmark application. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "id", "app_launcher_visible": true, "created_at": "2014-01-01T05:20:00.12345Z", "domain": "example.com", "logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg", "name": "My Website", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Bookmark application **delete** `/accounts/{account_id}/access/bookmarks/{bookmark_id}` Deletes a Bookmark application. ### Path Parameters - `account_id: string` - `bookmark_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Bookmark - `Bookmark { id, app_launcher_visible, domain, 2 more }` - `id: optional string` The unique identifier for the Bookmark application. - `app_launcher_visible: optional boolean` Displays the application in the App Launcher. - `domain: optional string` The domain of the Bookmark application. - `logo_url: optional string` The image URL for the logo shown in the App Launcher dashboard. - `name: optional string` The name of the Bookmark application. ### Bookmark Delete Response - `BookmarkDeleteResponse { id }` - `id: optional string` UUID. # Keys ## Get the Access key configuration **get** `/accounts/{account_id}/access/keys` Gets the Access key rotation settings for an account. ### Path Parameters - `account_id: string` Identifier. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }` - `days_until_next_rotation: optional number` The number of days until the next key rotation. - `key_rotation_interval_days: optional number` The number of days between key rotations. - `last_key_rotation_at: optional string` The timestamp of the previous key rotation. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/keys \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update the Access key configuration **put** `/accounts/{account_id}/access/keys` Updates the Access key rotation settings for an account. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `key_rotation_interval_days: number` The number of days between key rotations. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }` - `days_until_next_rotation: optional number` The number of days until the next key rotation. - `key_rotation_interval_days: optional number` The number of days between key rotations. - `last_key_rotation_at: optional string` The timestamp of the previous key rotation. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/keys \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "key_rotation_interval_days": 30 }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Access keys **post** `/accounts/{account_id}/access/keys/rotate` Perfoms a key rotation for an account. ### Path Parameters - `account_id: string` Identifier. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }` - `days_until_next_rotation: optional number` The number of days until the next key rotation. - `key_rotation_interval_days: optional number` The number of days between key rotations. - `last_key_rotation_at: optional string` The timestamp of the previous key rotation. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/keys/rotate \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "days_until_next_rotation": 1, "key_rotation_interval_days": 30, "last_key_rotation_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Key Get Response - `KeyGetResponse { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }` - `days_until_next_rotation: optional number` The number of days until the next key rotation. - `key_rotation_interval_days: optional number` The number of days between key rotations. - `last_key_rotation_at: optional string` The timestamp of the previous key rotation. ### Key Update Response - `KeyUpdateResponse { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }` - `days_until_next_rotation: optional number` The number of days until the next key rotation. - `key_rotation_interval_days: optional number` The number of days between key rotations. - `last_key_rotation_at: optional string` The timestamp of the previous key rotation. ### Key Rotate Response - `KeyRotateResponse { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }` - `days_until_next_rotation: optional number` The number of days until the next key rotation. - `key_rotation_interval_days: optional number` The number of days between key rotations. - `last_key_rotation_at: optional string` The timestamp of the previous key rotation. # Logs # Access Requests ## Get Access authentication logs **get** `/accounts/{account_id}/access/logs/access_requests` Gets a list of Access authentication audit logs for an account. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `allowedOp: optional "eq" or "neq"` Operator for the `allowed` filter. - `"eq"` - `"neq"` - `app_typeOp: optional "eq" or "neq"` Operator for the `app_type` filter. - `"eq"` - `"neq"` - `app_uidOp: optional "eq" or "neq"` Operator for the `app_uid` filter. - `"eq"` - `"neq"` - `country_codeOp: optional "eq" or "neq"` Operator for the `country_code` filter. - `"eq"` - `"neq"` - `direction: optional "desc" or "asc"` The chronological sorting order for the logs. - `"desc"` - `"asc"` - `email: optional string` Filter by user email. Defaults to substring matching. To force exact matching, set `email_exact=true`. Example (default): `email=@example.com` returns all events with that domain. Example (exact): `email=user@example.com&email_exact=true` returns only that user. - `email_exact: optional boolean` When true, `email` is matched exactly instead of substring matching. - `emailOp: optional "eq" or "neq"` Operator for the `email` filter. - `"eq"` - `"neq"` - `fields: optional string` Comma-separated list of fields to include in the response. When omitted, all fields are returned. - `idpOp: optional "eq" or "neq"` Operator for the `idp` filter. - `"eq"` - `"neq"` - `limit: optional number` The maximum number of log entries to retrieve. - `non_identityOp: optional "eq" or "neq"` Operator for the `non_identity` filter. - `"eq"` - `"neq"` - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `ray_idOp: optional "eq" or "neq"` Operator for the `ray_id` filter. - `"eq"` - `"neq"` - `since: optional string` The earliest event timestamp to query. - `until: optional string` The latest event timestamp to query. - `user_id: optional string` Filter by user UUID. - `user_idOp: optional "eq" or "neq"` Operator for the `user_id` filter. - `"eq"` - `"neq"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of AccessRequest` - `action: optional string` The event that occurred, such as a login attempt. - `allowed: optional boolean` The result of the authentication event. - `app_domain: optional string` The URL of the Access application. - `app_uid: optional string` The unique identifier for the Access application. - `connection: optional string` The IdP used to authenticate. - `created_at: optional string` - `ip_address: optional string` The IP address of the authenticating user. - `ray_id: optional string` The unique identifier for the request to Cloudflare. - `user_email: optional string` The email address of the authenticating user. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/access_requests \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "login", "allowed": true, "app_domain": "test.example.com/admin", "app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "connection": "saml", "created_at": "2014-01-01T05:20:00.12345Z", "ip_address": "198.41.129.166", "ray_id": "187d944c61940c77", "user_email": "user@example.com" } ] } ``` ## Domain Types ### Access Request List Response - `AccessRequestListResponse = array of AccessRequest` - `action: optional string` The event that occurred, such as a login attempt. - `allowed: optional boolean` The result of the authentication event. - `app_domain: optional string` The URL of the Access application. - `app_uid: optional string` The unique identifier for the Access application. - `connection: optional string` The IdP used to authenticate. - `created_at: optional string` - `ip_address: optional string` The IP address of the authenticating user. - `ray_id: optional string` The unique identifier for the request to Cloudflare. - `user_email: optional string` The email address of the authenticating user. # SCIM ## Domain Types ### Access Request - `AccessRequest { action, allowed, app_domain, 6 more }` - `action: optional string` The event that occurred, such as a login attempt. - `allowed: optional boolean` The result of the authentication event. - `app_domain: optional string` The URL of the Access application. - `app_uid: optional string` The unique identifier for the Access application. - `connection: optional string` The IdP used to authenticate. - `created_at: optional string` - `ip_address: optional string` The IP address of the authenticating user. - `ray_id: optional string` The unique identifier for the request to Cloudflare. - `user_email: optional string` The email address of the authenticating user. # Updates ## List Access SCIM update logs **get** `/accounts/{account_id}/access/logs/scim/updates` Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM). ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `idp_id: array of string` The unique Id of the IdP that has SCIM enabled. - `cf_resource_id: optional string` The unique Cloudflare-generated Id of the SCIM resource. - `direction: optional "desc" or "asc"` The chronological order used to sort the logs. - `"desc"` - `"asc"` - `idp_resource_id: optional string` The IdP-generated Id of the SCIM resource. - `limit: optional number` The maximum number of update logs to retrieve. - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `request_method: optional array of "DELETE" or "PATCH" or "POST" or "PUT"` The request method of the SCIM request. - `"DELETE"` - `"PATCH"` - `"POST"` - `"PUT"` - `resource_group_name: optional string` The display name of the SCIM Group resource. - `resource_type: optional array of "USER" or "GROUP"` The resource type of the SCIM request. - `"USER"` - `"GROUP"` - `resource_user_email: optional string` The email address of the SCIM User resource. - `since: optional string` the timestamp of the earliest update log. - `status: optional array of "FAILURE" or "SUCCESS"` The status of the SCIM request. - `"FAILURE"` - `"SUCCESS"` - `until: optional string` the timestamp of the most-recent update log. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { cf_resource_id, error_description, idp_id, 8 more }` - `cf_resource_id: optional string` The unique Cloudflare-generated Id of the SCIM resource. - `error_description: optional string` The error message which is generated when the status of the SCIM request is 'FAILURE'. - `idp_id: optional string` The unique Id of the IdP that has SCIM enabled. - `idp_resource_id: optional string` The IdP-generated Id of the SCIM resource. - `logged_at: optional string` - `request_body: optional string` The JSON-encoded string body of the SCIM request. - `request_method: optional string` The request method of the SCIM request. - `resource_group_name: optional string` The display name of the SCIM Group resource if it exists. - `resource_type: optional string` The resource type of the SCIM request. - `resource_user_email: optional string` The email address of the SCIM User resource if it exists. - `status: optional string` The status of the SCIM request. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/scim/updates \ -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \ -H "X-Auth-Key: $CLOUDFLARE_API_KEY" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "cf_resource_id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0", "error_description": "Invalid JSON body", "idp_id": "df7e2w5f-02b7-4d9d-af26-8d1988fca630", "idp_resource_id": "all_employees", "logged_at": "2014-01-01T05:20:00.12345Z", "request_body": "{}}", "request_method": "DELETE", "resource_group_name": "ALL_EMPLOYEES", "resource_type": "GROUP", "resource_user_email": "john.smith@example.com", "status": "FAILURE" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Update List Response - `UpdateListResponse { cf_resource_id, error_description, idp_id, 8 more }` - `cf_resource_id: optional string` The unique Cloudflare-generated Id of the SCIM resource. - `error_description: optional string` The error message which is generated when the status of the SCIM request is 'FAILURE'. - `idp_id: optional string` The unique Id of the IdP that has SCIM enabled. - `idp_resource_id: optional string` The IdP-generated Id of the SCIM resource. - `logged_at: optional string` - `request_body: optional string` The JSON-encoded string body of the SCIM request. - `request_method: optional string` The request method of the SCIM request. - `resource_group_name: optional string` The display name of the SCIM Group resource if it exists. - `resource_type: optional string` The resource type of the SCIM request. - `resource_user_email: optional string` The email address of the SCIM User resource if it exists. - `status: optional string` The status of the SCIM request. # Users ## Get users **get** `/accounts/{account_id}/access/users` Gets a list of users for an account. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `email: optional string` The email of the user. - `name: optional string` The name of the user. - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. - `search: optional string` Search for users by other listed query parameters. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 100, "total_count": 1, "total_pages": 100 } } ``` ## Get a user **get** `/accounts/{account_id}/access/users/{user_id}` Gets a specific user for an account. ### Path Parameters - `account_id: string` Identifier. - `user_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a user **post** `/accounts/{account_id}/access/users` Creates a new user. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `email: string` The email of the user. - `name: optional string` The name of the user. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "email": "jdoe@example.com", "name": "Jane Doe" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a user **put** `/accounts/{account_id}/access/users/{user_id}` Updates a specific user's name for an account. Requires the user's current email as confirmation (email cannot be changed). ### Path Parameters - `account_id: string` Identifier. - `user_id: string` UUID. ### Body Parameters - `email: string` The email of the user. - `name: string` The name of the user. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "email": "jdoe@example.com", "name": "Jane Doe" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "access_seat": false, "active_device_count": 2, "created_at": "2014-01-01T05:20:00.12345Z", "email": "jdoe@example.com", "gateway_seat": false, "last_successful_login": "2020-07-01T05:20:00Z", "name": "Jane Doe", "seat_uid": "seat_uid", "uid": "uid", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a user **delete** `/accounts/{account_id}/access/users/{user_id}` Deletes a specific user for an account. This will also revoke any active seats and tokens for the user. ### Path Parameters - `account_id: string` Identifier. - `user_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Access User - `AccessUser { id, active, displayName, 4 more }` - `id: optional string` The unique Cloudflare-generated Id of the SCIM resource. - `active: optional boolean` Determines the status of the SCIM User resource. - `displayName: optional string` The name of the SCIM User resource. - `emails: optional array of { primary, type, value }` - `primary: optional boolean` Indicates if the email address is the primary email belonging to the SCIM User resource. - `type: optional string` Indicates the type of the email address. - `value: optional string` The email address of the SCIM User resource. - `externalId: optional string` The IdP-generated Id of the SCIM resource. - `meta: optional { created, lastModified }` The metadata of the SCIM resource. - `created: optional string` The timestamp of when the SCIM resource was created. - `lastModified: optional string` The timestamp of when the SCIM resource was last modified. - `schemas: optional array of string` The list of URIs which indicate the attributes contained within a SCIM resource. ### User List Response - `UserListResponse { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` ### User Get Response - `UserGetResponse { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` ### User Create Response - `UserCreateResponse { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` ### User Update Response - `UserUpdateResponse { id, access_seat, active_device_count, 8 more }` - `id: optional string` UUID. - `access_seat: optional boolean` True if the user has authenticated with Cloudflare Access. - `active_device_count: optional number` The number of active devices registered to the user. - `created_at: optional string` - `email: optional string` The email of the user. - `gateway_seat: optional boolean` True if the user has logged into the WARP client. - `last_successful_login: optional string` The time at which the user last successfully logged in. - `name: optional string` The name of the user. - `seat_uid: optional string` The unique API identifier for the Zero Trust seat. - `uid: optional string` The unique API identifier for the user. - `updated_at: optional string` ### User Delete Response - `UserDeleteResponse = unknown` # Active Sessions ## Get active sessions **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions` Get active sessions for a single user. ### Path Parameters - `account_id: string` Identifier. - `user_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { expiration, metadata, name }` - `expiration: optional number` - `metadata: optional { apps, expires, iat, 2 more }` - `apps: optional map[ { hostname, name, type, uid } ]` - `hostname: optional string` - `name: optional string` - `type: optional string` - `uid: optional string` - `expires: optional number` - `iat: optional number` - `nonce: optional string` - `ttl: optional number` - `name: optional string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/active_sessions \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 1694813506, "metadata": { "apps": { "foo": { "hostname": "test.example.com", "name": "app name", "type": "self_hosted", "uid": "cc2a8145-0128-4429-87f3-872c4d380c4e" } }, "expires": 1694813506, "iat": 1694791905, "nonce": "X1aXj1lFVcqqyoXF", "ttl": 21600 }, "name": "name" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get single active session **get** `/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}` Get an active session for a single user. ### Path Parameters - `account_id: string` Identifier. - `user_id: string` UUID. - `nonce: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { account_id, auth_status, common_name, 16 more }` - `account_id: optional string` - `auth_status: optional string` - `common_name: optional string` - `device_id: optional string` - `device_sessions: optional map[ { last_authenticated } ]` - `last_authenticated: optional number` - `devicePosture: optional map[ { id, check, data, 6 more } ]` - `id: optional string` - `check: optional { exists, path }` - `exists: optional boolean` - `path: optional string` - `data: optional unknown` - `description: optional string` - `error: optional string` - `rule_name: optional string` - `success: optional boolean` - `timestamp: optional string` - `type: optional string` - `email: optional string` - `geo: optional UserPolicyCheckGeo` - `country: optional string` - `iat: optional number` - `idp: optional { id, type }` - `id: optional string` - `type: optional string` - `ip: optional string` - `is_gateway: optional boolean` - `is_warp: optional boolean` - `isActive: optional boolean` - `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }` - `auth_status: optional string` - `cert_issuer_dn: optional string` - `cert_issuer_ski: optional string` - `cert_presented: optional boolean` - `cert_serial: optional string` - `service_token_id: optional string` - `service_token_status: optional boolean` - `user_uuid: optional string` - `version: optional number` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/active_sessions/$NONCE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "isActive": true, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` ## Domain Types ### Active Session List Response - `ActiveSessionListResponse { expiration, metadata, name }` - `expiration: optional number` - `metadata: optional { apps, expires, iat, 2 more }` - `apps: optional map[ { hostname, name, type, uid } ]` - `hostname: optional string` - `name: optional string` - `type: optional string` - `uid: optional string` - `expires: optional number` - `iat: optional number` - `nonce: optional string` - `ttl: optional number` - `name: optional string` ### Active Session Get Response - `ActiveSessionGetResponse { account_id, auth_status, common_name, 16 more }` - `account_id: optional string` - `auth_status: optional string` - `common_name: optional string` - `device_id: optional string` - `device_sessions: optional map[ { last_authenticated } ]` - `last_authenticated: optional number` - `devicePosture: optional map[ { id, check, data, 6 more } ]` - `id: optional string` - `check: optional { exists, path }` - `exists: optional boolean` - `path: optional string` - `data: optional unknown` - `description: optional string` - `error: optional string` - `rule_name: optional string` - `success: optional boolean` - `timestamp: optional string` - `type: optional string` - `email: optional string` - `geo: optional UserPolicyCheckGeo` - `country: optional string` - `iat: optional number` - `idp: optional { id, type }` - `id: optional string` - `type: optional string` - `ip: optional string` - `is_gateway: optional boolean` - `is_warp: optional boolean` - `isActive: optional boolean` - `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }` - `auth_status: optional string` - `cert_issuer_dn: optional string` - `cert_issuer_ski: optional string` - `cert_presented: optional boolean` - `cert_serial: optional string` - `service_token_id: optional string` - `service_token_status: optional boolean` - `user_uuid: optional string` - `version: optional number` # Last Seen Identity ## Get last seen identity **get** `/accounts/{account_id}/access/users/{user_id}/last_seen_identity` Get last seen identity for a single user. ### Path Parameters - `account_id: string` Identifier. - `user_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Identity` - `account_id: optional string` - `auth_status: optional string` - `common_name: optional string` - `device_id: optional string` - `device_sessions: optional map[ { last_authenticated } ]` - `last_authenticated: optional number` - `devicePosture: optional map[ { id, check, data, 6 more } ]` - `id: optional string` - `check: optional { exists, path }` - `exists: optional boolean` - `path: optional string` - `data: optional unknown` - `description: optional string` - `error: optional string` - `rule_name: optional string` - `success: optional boolean` - `timestamp: optional string` - `type: optional string` - `email: optional string` - `geo: optional UserPolicyCheckGeo` - `country: optional string` - `iat: optional number` - `idp: optional { id, type }` - `id: optional string` - `type: optional string` - `ip: optional string` - `is_gateway: optional boolean` - `is_warp: optional boolean` - `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }` - `auth_status: optional string` - `cert_issuer_dn: optional string` - `cert_issuer_ski: optional string` - `cert_presented: optional boolean` - `cert_serial: optional string` - `service_token_id: optional string` - `service_token_status: optional boolean` - `user_uuid: optional string` - `version: optional number` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/last_seen_identity \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "1234567890", "auth_status": "NONE", "common_name": "", "device_id": "", "device_sessions": { "foo": { "last_authenticated": 1638832687 } }, "devicePosture": { "foo": { "id": "id", "check": { "exists": true, "path": "path" }, "data": {}, "description": "description", "error": "error", "rule_name": "rule_name", "success": true, "timestamp": "timestamp", "type": "type" } }, "email": "test@cloudflare.com", "geo": { "country": "US" }, "iat": 1694791905, "idp": { "id": "id", "type": "type" }, "ip": "127.0.0.0", "is_gateway": false, "is_warp": false, "mtls_auth": { "auth_status": "auth_status", "cert_issuer_dn": "cert_issuer_dn", "cert_issuer_ski": "cert_issuer_ski", "cert_presented": true, "cert_serial": "cert_serial" }, "service_token_id": "", "service_token_status": false, "user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4", "version": 2 } } ``` ## Domain Types ### Identity - `Identity { account_id, auth_status, common_name, 15 more }` - `account_id: optional string` - `auth_status: optional string` - `common_name: optional string` - `device_id: optional string` - `device_sessions: optional map[ { last_authenticated } ]` - `last_authenticated: optional number` - `devicePosture: optional map[ { id, check, data, 6 more } ]` - `id: optional string` - `check: optional { exists, path }` - `exists: optional boolean` - `path: optional string` - `data: optional unknown` - `description: optional string` - `error: optional string` - `rule_name: optional string` - `success: optional boolean` - `timestamp: optional string` - `type: optional string` - `email: optional string` - `geo: optional UserPolicyCheckGeo` - `country: optional string` - `iat: optional number` - `idp: optional { id, type }` - `id: optional string` - `type: optional string` - `ip: optional string` - `is_gateway: optional boolean` - `is_warp: optional boolean` - `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }` - `auth_status: optional string` - `cert_issuer_dn: optional string` - `cert_issuer_ski: optional string` - `cert_presented: optional boolean` - `cert_serial: optional string` - `service_token_id: optional string` - `service_token_status: optional boolean` - `user_uuid: optional string` - `version: optional number` # Failed Logins ## Get failed logins **get** `/accounts/{account_id}/access/users/{user_id}/failed_logins` Get all failed login attempts for a single user. ### Path Parameters - `account_id: string` Identifier. - `user_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { expiration, metadata }` - `expiration: optional number` - `metadata: optional unknown` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/failed_logins \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "expiration": 0, "metadata": { "app_name": "Test App", "aud": "39691c1480a2352a18ece567debc2b32552686cbd38eec0887aa18d5d3f00c04", "datetime": "2022-02-02T21:54:34.914Z", "ray_id": "6d76a8a42ead4133", "user_email": "test@cloudflare.com", "user_uuid": "57171132-e453-4ee8-b2a5-8cbaad333207" } } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Failed Login List Response - `FailedLoginListResponse { expiration, metadata }` - `expiration: optional number` - `metadata: optional unknown` # Custom Pages ## List custom pages **get** `/accounts/{account_id}/access/custom_pages` List custom pages ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of CustomPageWithoutHTML` - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: optional string` UUID. - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a custom page **get** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Fetches a custom page and also returns its HTML. ### Path Parameters - `account_id: string` Identifier. - `custom_page_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional CustomPage` - `custom_html: string` Custom page HTML. - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages/$CUSTOM_PAGE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "custom_html": "

Access Denied

", "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a custom page **post** `/accounts/{account_id}/access/custom_pages` Create a custom page ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `custom_html: string` Custom page HTML. - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional CustomPageWithoutHTML` - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "custom_html": "

Access Denied

", "name": "name", "type": "identity_denied" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a custom page **put** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Update a custom page ### Path Parameters - `account_id: string` Identifier. - `custom_page_id: string` UUID. ### Body Parameters - `custom_html: string` Custom page HTML. - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional CustomPageWithoutHTML` - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages/$CUSTOM_PAGE_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "custom_html": "

Access Denied

", "name": "name", "type": "identity_denied" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "name", "type": "identity_denied", "app_count": 0, "created_at": "2014-01-01T05:20:00.12345Z", "uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a custom page **delete** `/accounts/{account_id}/access/custom_pages/{custom_page_id}` Delete a custom page ### Path Parameters - `account_id: string` Identifier. - `custom_page_id: string` UUID. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` UUID. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages/$CUSTOM_PAGE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Custom Page - `CustomPage { custom_html, name, type, uid }` - `custom_html: string` Custom page HTML. - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: optional string` UUID. ### Custom Page Without HTML - `CustomPageWithoutHTML { name, type, uid }` - `name: string` Custom page name. - `type: "identity_denied" or "forbidden"` Custom page type. - `"identity_denied"` - `"forbidden"` - `uid: optional string` UUID. ### Custom Page Delete Response - `CustomPageDeleteResponse { id }` - `id: optional string` UUID. # Tags ## List tags **get** `/accounts/{account_id}/access/tags` List tags ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of Tag` - `name: string` The name of the tag - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get a tag **get** `/accounts/{account_id}/access/tags/{tag_name}` Get a tag ### Path Parameters - `account_id: string` Identifier. - `tag_name: string` The name of the tag ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Tag` A tag - `name: string` The name of the tag ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags/$TAG_NAME \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a tag **post** `/accounts/{account_id}/access/tags` Create a tag ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `name: optional string` The name of the tag ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Tag` A tag - `name: string` The name of the tag ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a tag **put** `/accounts/{account_id}/access/tags/{tag_name}` Update a tag ### Path Parameters - `account_id: string` Identifier. - `tag_name: string` The name of the tag ### Body Parameters - `name: string` The name of the tag ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Tag` A tag - `name: string` The name of the tag ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags/$TAG_NAME \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "engineers" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers", "app_count": 1, "created_at": "2014-01-01T05:20:00.12345Z", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a tag **delete** `/accounts/{account_id}/access/tags/{tag_name}` Delete a tag ### Path Parameters - `account_id: string` Identifier. - `tag_name: string` The name of the tag ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { name }` - `name: optional string` The name of the tag ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags/$TAG_NAME \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "name": "engineers" } } ``` ## Domain Types ### Tag - `Tag { name }` A tag - `name: string` The name of the tag ### Tag Delete Response - `TagDeleteResponse { name }` - `name: optional string` The name of the tag # Policies ## List Access reusable policies **get** `/accounts/{account_id}/access/policies` Lists Access reusable policies. ### Path Parameters - `account_id: string` Identifier. ### Query Parameters - `page: optional number` Page number of results. - `per_page: optional number` Number of results per page. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Get an Access reusable policy **get** `/accounts/{account_id}/access/policies/{policy_id}` Fetches a single Access reusable policy. ### Path Parameters - `account_id: string` Identifier. - `policy_id: string` The UUID of the policy ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies/$POLICY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create an Access reusable policy **post** `/accounts/{account_id}/access/policies` Creates a new Access reusable policy. ### Path Parameters - `account_id: string` Identifier. ### Body Parameters - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "decision": "allow", "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ] }, { "approvals_needed": 3, "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "session_duration": "24h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update an Access reusable policy **put** `/accounts/{account_id}/access/policies/{policy_id}` Updates a Access reusable policy. ### Path Parameters - `account_id: string` Identifier. - `policy_id: string` The UUID of the policy ### Body Parameters - `decision: Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `include: array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `name: string` The name of the Access policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies/$POLICY_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "decision": "allow", "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "name": "Allow devs", "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ] }, { "approvals_needed": 3, "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "session_duration": "24h" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "app_count": 2, "approval_groups": [ { "approvals_needed": 1, "email_addresses": [ "test1@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "email_list_uuid" }, { "approvals_needed": 3, "email_addresses": [ "test@cloudflare.com", "test2@cloudflare.com" ], "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34" } ], "approval_required": true, "connection_rules": { "rdp": { "allowed_clipboard_local_to_remote_formats": [ "text" ], "allowed_clipboard_remote_to_local_formats": [ "text" ] } }, "created_at": "2014-01-01T05:20:00.12345Z", "decision": "allow", "exclude": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "include": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "isolation_required": false, "mfa_config": { "allowed_authenticators": [ "totp", "biometrics", "security_key" ], "mfa_disabled": false, "session_duration": "24h" }, "name": "Allow devs", "purpose_justification_prompt": "Please enter a justification for entering this protected domain.", "purpose_justification_required": true, "require": [ { "group": { "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f" } } ], "reusable": true, "session_duration": "24h", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete an Access reusable policy **delete** `/accounts/{account_id}/access/policies/{policy_id}` Deletes an Access reusable policy. ### Path Parameters - `account_id: string` Identifier. - `policy_id: string` The UUID of the policy ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id }` - `id: optional string` The UUID of the policy ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies/$POLICY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } } ``` ## Domain Types ### Approval Group - `ApprovalGroup { approvals_needed, email_addresses, email_list_uuid }` A group of email addresses that can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. ### Policy - `Policy { id, approval_groups, approval_required, 11 more }` - `id: optional string` UUID. - `approval_groups: optional array of { approvals_needed, email_addresses, email_list_uuid }` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of unknown` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `created_at: optional string` - `decision: optional "allow" or "deny" or "non_identity" or "bypass"` The action Access will take if a user matches this policy. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. - `name: optional string` The name of the Access policy. - `precedence: optional number` The order of execution for this policy. Must be unique for each policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `updated_at: optional string` ### Policy List Response - `PolicyListResponse { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Get Response - `PolicyGetResponse { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Create Response - `PolicyCreateResponse { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Update Response - `PolicyUpdateResponse { id, app_count, approval_groups, 15 more }` - `id: optional string` The UUID of the policy - `app_count: optional number` Number of access applications currently using this policy. - `approval_groups: optional array of ApprovalGroup` Administrators who can approve a temporary authentication request. - `approvals_needed: number` The number of approvals needed to obtain access. - `email_addresses: optional array of string` A list of emails that can approve the access request. - `email_list_uuid: optional string` The UUID of an re-usable email list. - `approval_required: optional boolean` Requires the user to request access from an administrator at the start of each session. - `connection_rules: optional { rdp }` The rules that define how users may connect to targets secured by your application. - `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }` The RDP-specific rules that define clipboard behavior for RDP connections. - `allowed_clipboard_local_to_remote_formats: optional array of "text"` Clipboard formats allowed when copying from local machine to remote RDP session. - `"text"` - `allowed_clipboard_remote_to_local_formats: optional array of "text"` Clipboard formats allowed when copying from remote RDP session to local machine. - `"text"` - `created_at: optional string` - `decision: optional Decision` The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. - `"allow"` - `"deny"` - `"non_identity"` - `"bypass"` - `exclude: optional array of AccessRule` Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. - `GroupRule { group }` Matches an Access group. - `group: { id }` - `id: string` The ID of a previously created Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `any_valid_service_token: { }` An empty object which matches on all service tokens. - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `auth_context: { id, ac_id, identity_provider_id }` - `id: string` The ID of an Authentication context. - `ac_id: string` The ACID of an Authentication context. - `identity_provider_id: string` The ID of your Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `auth_method: { auth_method }` - `auth_method: string` The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2. - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `azureAD: { id, identity_provider_id }` - `id: string` The ID of an Azure group. - `identity_provider_id: string` The ID of your Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `certificate: { }` - `AccessCommonNameRule { common_name }` Matches a specific common name. - `common_name: { common_name }` - `common_name: string` The common name to match. - `CountryRule { geo }` Matches a specific country - `geo: { country_code }` - `country_code: string` The country code that should be matched. - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `device_posture: { integration_uid }` - `integration_uid: string` The ID of a device posture integration. - `DomainRule { email_domain }` Match an entire email domain. - `email_domain: { domain }` - `domain: string` The email domain to match. - `EmailListRule { email_list }` Matches an email address from a list. - `email_list: { id }` - `id: string` The ID of a previously created email list. - `EmailRule { email }` Matches a specific email. - `email: { email }` - `email: string` The email of the user. - `EveryoneRule { everyone }` Matches everyone. - `everyone: { }` An empty object which matches on all users. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `external_evaluation: { evaluate_url, keys_url }` - `evaluate_url: string` The API endpoint containing your business logic. - `keys_url: string` The API endpoint containing the key that Access uses to verify that the response came from your API. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `"github-organization": { identity_provider_id, name, team }` - `identity_provider_id: string` The ID of your Github identity provider. - `name: string` The name of the organization. - `team: optional string` The name of the team - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `gsuite: { email, identity_provider_id }` - `email: string` The email of the Google Workspace group. - `identity_provider_id: string` The ID of your Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `login_method: { id }` - `id: string` The ID of an identity provider. - `IPListRule { ip_list }` Matches an IP address from a list. - `ip_list: { id }` - `id: string` The ID of a previously created IP list. - `IPRule { ip }` Matches an IP address block. - `ip: { ip }` - `ip: string` An IPv4 or IPv6 CIDR block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `okta: { identity_provider_id, name }` - `identity_provider_id: string` The ID of your Okta identity provider. - `name: string` The name of the Okta group. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `saml: { attribute_name, attribute_value, identity_provider_id }` - `attribute_name: string` The name of the SAML attribute. - `attribute_value: string` The SAML attribute value to look for. - `identity_provider_id: string` The ID of your SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `oidc: { claim_name, claim_value, identity_provider_id }` - `claim_name: string` The name of the OIDC claim. - `claim_value: string` The OIDC claim value to look for. - `identity_provider_id: string` The ID of your OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `service_token: { token_id }` - `token_id: string` The ID of a Service Token. - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `linked_app_token: { app_uid }` - `app_uid: string` The ID of an Access OIDC SaaS application - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `user_risk_score: { user_risk_score }` - `user_risk_score: array of "low" or "medium" or "high" or "unscored"` A list of risk score levels to match. Values can be low, medium, high, or unscored. - `"low"` - `"medium"` - `"high"` - `"unscored"` - `include: optional array of AccessRule` Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `isolation_required: optional boolean` Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. - `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }` Configures multi-factor authentication (MFA) settings. - `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"` Lists the MFA methods that users can authenticate with. - `"totp"` - `"biometrics"` - `"security_key"` - `mfa_disabled: optional boolean` Indicates whether to disable MFA for this resource. This option is available at the application and policy level. - `session_duration: optional string` Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. - `name: optional string` The name of the Access policy. - `purpose_justification_prompt: optional string` A custom message that will appear on the purpose justification screen. - `purpose_justification_required: optional boolean` Require users to enter a justification when they log in to the application. - `require: optional array of AccessRule` Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. - `GroupRule { group }` Matches an Access group. - `AnyValidServiceTokenRule { any_valid_service_token }` Matches any valid Access Service Token - `AccessAuthContextRule { auth_context }` Matches an Azure Authentication Context. Requires an Azure identity provider. - `AuthenticationMethodRule { auth_method }` Enforce different MFA options - `AzureGroupRule { azureAD }` Matches an Azure group. Requires an Azure identity provider. - `CertificateRule { certificate }` Matches any valid client certificate. - `AccessCommonNameRule { common_name }` Matches a specific common name. - `CountryRule { geo }` Matches a specific country - `AccessDevicePostureRule { device_posture }` Enforces a device posture rule has run successfully - `DomainRule { email_domain }` Match an entire email domain. - `EmailListRule { email_list }` Matches an email address from a list. - `EmailRule { email }` Matches a specific email. - `EveryoneRule { everyone }` Matches everyone. - `ExternalEvaluationRule { external_evaluation }` Create Allow or Block policies which evaluate the user based on custom criteria. - `GitHubOrganizationRule { "github-organization" }` Matches a Github organization. Requires a Github identity provider. - `GSuiteGroupRule { gsuite }` Matches a group in Google Workspace. Requires a Google Workspace identity provider. - `AccessLoginMethodRule { login_method }` Matches a specific identity provider id. - `IPListRule { ip_list }` Matches an IP address from a list. - `IPRule { ip }` Matches an IP address block. - `OktaGroupRule { okta }` Matches an Okta group. Requires an Okta identity provider. - `SAMLGroupRule { saml }` Matches a SAML group. Requires a SAML identity provider. - `AccessOIDCClaimRule { oidc }` Matches an OIDC claim. Requires an OIDC identity provider. - `ServiceTokenRule { service_token }` Matches a specific Access Service Token - `AccessLinkedAppTokenRule { linked_app_token }` Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions. - `AccessUserRiskScoreRule { user_risk_score }` Matches a user's risk score. - `reusable: optional true` - `true` - `session_duration: optional string` The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. - `updated_at: optional string` ### Policy Delete Response - `PolicyDeleteResponse { id }` - `id: optional string` The UUID of the policy # DEX ## Domain Types ### Digital Experience Monitor - `DigitalExperienceMonitor { id, default, name }` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` ### Network Path - `NetworkPath { slots, sampling }` - `slots: array of { id, clientToAppRttMs, clientToCfEgressRttMs, 3 more }` - `id: string` API Resource UUID tag. - `clientToAppRttMs: number` Round trip time in ms of the client to app mile - `clientToCfEgressRttMs: number` Round trip time in ms of the client to Cloudflare egress mile - `clientToCfIngressRttMs: number` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: string` - `clientToIspRttMs: optional number` Round trip time in ms of the client to ISP mile - `sampling: optional { unit, value }` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: "hours"` - `"hours"` - `value: number` ### Network Path Response - `NetworkPathResponse { id, deviceName, interval, 4 more }` - `id: string` API Resource UUID tag. - `deviceName: optional string` - `interval: optional string` The interval at which the Traceroute synthetic application test is set to run. - `kind: optional "traceroute"` - `"traceroute"` - `name: optional string` - `networkPath: optional NetworkPath` - `slots: array of { id, clientToAppRttMs, clientToCfEgressRttMs, 3 more }` - `id: string` API Resource UUID tag. - `clientToAppRttMs: number` Round trip time in ms of the client to app mile - `clientToCfEgressRttMs: number` Round trip time in ms of the client to Cloudflare egress mile - `clientToCfIngressRttMs: number` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: string` - `clientToIspRttMs: optional number` Round trip time in ms of the client to ISP mile - `sampling: optional { unit, value }` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: "hours"` - `"hours"` - `value: number` - `url: optional string` The host of the Traceroute synthetic application test ### Percentiles - `Percentiles { p50, p90, p95, p99 }` - `p50: optional number` p50 observed in the time period - `p90: optional number` p90 observed in the time period - `p95: optional number` p95 observed in the time period - `p99: optional number` p99 observed in the time period # WARP Change Events ## List WARP change events. **get** `/accounts/{account_id}/dex/warp-change-events` List WARP configuration and enablement toggle change events by device. ### Path Parameters - `account_id: string` ### Query Parameters - `from: string` Start time for the query in ISO (RFC3339 - ISO 8601) format - `page: number` Page number of paginated results - `per_page: number` Number of items per page - `to: string` End time for the query in ISO (RFC3339 - ISO 8601) format - `account_name: optional string` Filter events by account name. - `config_name: optional string` Filter events by WARP configuration name changed from or to. Applicable to type='config' events only. - `sort_order: optional "ASC" or "DESC"` Sort response by event timestamp. - `"ASC"` - `"DESC"` - `toggle: optional "on" or "off"` Filter events by type toggle value. Applicable to type='toggle' events only. - `"on"` - `"off"` - `type: optional "config" or "toggle"` Filter events by type 'config' or 'toggle' - `"config"` - `"toggle"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { account_name, account_tag, device_id, 6 more } or { device_id, device_registration, from, 5 more }` - `DigitalExperienceMonitoringWARPToggleChangeEvent { account_name, account_tag, device_id, 6 more }` - `account_name: optional string` The account name. - `account_tag: optional string` The public account identifier. - `device_id: optional string` API Resource UUID tag. - `device_registration: optional string` API Resource UUID tag. - `hostname: optional string` The hostname of the machine the event is from - `serial_number: optional string` The serial number of the machine the event is from - `timestamp: optional string` Timestamp in ISO format - `toggle: optional "on" or "off"` The state of the WARP toggle. - `"on"` - `"off"` - `user_email: optional string` Email tied to the device - `DigitalExperienceMonitoringWARPConfigChangeEvent { device_id, device_registration, from, 5 more }` - `device_id: optional string` API Resource UUID tag. - `device_registration: optional string` API Resource UUID tag. - `from: optional { account_name, account_tag, config_name }` - `account_name: optional string` The account name. - `account_tag: optional string` API Resource UUID tag. - `config_name: optional string` The name of the WARP configuration. - `hostname: optional string` The hostname of the machine the event is from - `serial_number: optional string` The serial number of the machine the event is from - `timestamp: optional string` Timestamp in ISO format - `to: optional { account_name, account_tag, config_name }` - `account_name: optional string` The account name. - `account_tag: optional string` API Resource UUID tag. - `config_name: optional string` The name of the WARP configuration. - `user_email: optional string` Email tied to the device - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/warp-change-events \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "account_name": "account_name", "account_tag": "account_tag", "device_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "device_registration": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "hostname": "hostname", "serial_number": "serial_number", "timestamp": "2023-10-11T00:00:00Z", "toggle": "on", "user_email": "user_email" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### WARP Change Event Get Response - `WARPChangeEventGetResponse = array of { account_name, account_tag, device_id, 6 more } or { device_id, device_registration, from, 5 more }` - `DigitalExperienceMonitoringWARPToggleChangeEvent { account_name, account_tag, device_id, 6 more }` - `account_name: optional string` The account name. - `account_tag: optional string` The public account identifier. - `device_id: optional string` API Resource UUID tag. - `device_registration: optional string` API Resource UUID tag. - `hostname: optional string` The hostname of the machine the event is from - `serial_number: optional string` The serial number of the machine the event is from - `timestamp: optional string` Timestamp in ISO format - `toggle: optional "on" or "off"` The state of the WARP toggle. - `"on"` - `"off"` - `user_email: optional string` Email tied to the device - `DigitalExperienceMonitoringWARPConfigChangeEvent { device_id, device_registration, from, 5 more }` - `device_id: optional string` API Resource UUID tag. - `device_registration: optional string` API Resource UUID tag. - `from: optional { account_name, account_tag, config_name }` - `account_name: optional string` The account name. - `account_tag: optional string` API Resource UUID tag. - `config_name: optional string` The name of the WARP configuration. - `hostname: optional string` The hostname of the machine the event is from - `serial_number: optional string` The serial number of the machine the event is from - `timestamp: optional string` Timestamp in ISO format - `to: optional { account_name, account_tag, config_name }` - `account_name: optional string` The account name. - `account_tag: optional string` API Resource UUID tag. - `config_name: optional string` The name of the WARP configuration. - `user_email: optional string` Email tied to the device # Commands ## List account commands **get** `/accounts/{account_id}/dex/commands` Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters ### Path Parameters - `account_id: string` ### Query Parameters - `page: number` Page number for pagination - `per_page: number` Number of results per page - `command_type: optional string` Optionally filter executed commands by command type - `device_id: optional string` Unique identifier for a device - `from: optional string` Start time for the query in ISO (RFC3339 - ISO 8601) format - `status: optional "PENDING_EXEC" or "PENDING_UPLOAD" or "SUCCESS" or "FAILED"` Optionally filter executed commands by status - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `to: optional string` End time for the query in ISO (RFC3339 - ISO 8601) format - `user_email: optional string` Email tied to the device ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { commands }` - `commands: optional array of { id, completed_date, created_date, 6 more }` - `id: optional string` - `completed_date: optional string` - `created_date: optional string` - `device_id: optional string` - `filename: optional string` - `registration_id: optional string` Unique identifier for the device registration - `status: optional string` - `type: optional string` - `user_email: optional string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/commands \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "completed_date": "2019-12-27T18:11:19.117Z", "created_date": "2019-12-27T18:11:19.117Z", "device_id": "device_id", "filename": "filename", "registration_id": "registration_id", "status": "status", "type": "type", "user_email": "user_email" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Create account commands **post** `/accounts/{account_id}/dex/commands` Initiate commands for up to 10 devices per account ### Path Parameters - `account_id: string` ### Body Parameters - `commands: array of { command_type, device_id, user_email, 2 more }` List of device-level commands to execute - `command_type: "pcap" or "warp-diag"` Type of command to execute on the device - `"pcap"` - `"warp-diag"` - `device_id: string` Unique identifier for the physical device - `user_email: string` Email tied to the device - `command_args: optional { interfaces, "max-file-size-mb", "packet-size-bytes", 2 more }` - `interfaces: optional array of "default" or "tunnel"` List of interfaces to capture packets on - `"default"` - `"tunnel"` - `"max-file-size-mb": optional number` Maximum file size (in MB) for the capture file. Specifies the maximum file size of the warp-diag zip artifact that can be uploaded. If the zip artifact exceeds the specified max file size, it will NOT be uploaded - `"packet-size-bytes": optional number` Maximum number of bytes to save for each packet - `"test-all-routes": optional boolean` Test an IP address from all included or excluded ranges. Tests an IP address from all included or excluded ranges. Essentially the same as running 'route get '' and collecting the results. This option may increase the time taken to collect the warp-diag - `"time-limit-min": optional number` Limit on capture duration (in minutes) - `registration_id: optional string` Unique identifier for the device registration. Required for multi-user devices to target the correct user session. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { commands }` - `commands: optional array of { id, args, device_id, 3 more }` List of created commands - `id: optional string` Unique identifier for the command - `args: optional map[string]` Command arguments - `device_id: optional string` Identifier for the device associated with the command - `registration_id: optional string` Unique identifier for the device registration - `status: optional "PENDING_EXEC" or "PENDING_UPLOAD" or "SUCCESS" or "FAILED"` Current status of the command - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `type: optional string` Type of the command (e.g., "pcap" or "warp-diag") - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/commands \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "commands": [ { "command_type": "pcap", "device_id": "device_id", "user_email": "user_email" } ] }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "commands": [ { "id": "id", "args": { "foo": "string" }, "device_id": "device_id", "registration_id": "registration_id", "status": "PENDING_EXEC", "type": "type" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Command List Response - `CommandListResponse { commands }` - `commands: optional array of { id, completed_date, created_date, 6 more }` - `id: optional string` - `completed_date: optional string` - `created_date: optional string` - `device_id: optional string` - `filename: optional string` - `registration_id: optional string` Unique identifier for the device registration - `status: optional string` - `type: optional string` - `user_email: optional string` ### Command Create Response - `CommandCreateResponse { commands }` - `commands: optional array of { id, args, device_id, 3 more }` List of created commands - `id: optional string` Unique identifier for the command - `args: optional map[string]` Command arguments - `device_id: optional string` Identifier for the device associated with the command - `registration_id: optional string` Unique identifier for the device registration - `status: optional "PENDING_EXEC" or "PENDING_UPLOAD" or "SUCCESS" or "FAILED"` Current status of the command - `"PENDING_EXEC"` - `"PENDING_UPLOAD"` - `"SUCCESS"` - `"FAILED"` - `type: optional string` Type of the command (e.g., "pcap" or "warp-diag") # Devices ## List devices eligible for remote captures **get** `/accounts/{account_id}/dex/commands/devices` List devices with WARP client support for remote captures which have been connected in the last 1 hour. ### Path Parameters - `account_id: string` ### Query Parameters - `page: number` Page number of paginated results - `per_page: number` Number of items per page - `search: optional string` Filter devices by name or email ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { devices }` - `devices: optional array of { deviceId, deviceName, eligible, 7 more }` List of eligible devices - `deviceId: optional string` Device identifier (UUID v4) - `deviceName: optional string` Device identifier (human readable) - `eligible: optional boolean` Whether the device is eligible for remote captures - `ineligibleReason: optional string` If the device is not eligible, the reason why. - `personEmail: optional string` User contact email address - `platform: optional string` Operating system - `registrationId: optional string` Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user's registration on the device. - `status: optional string` Network status - `timestamp: optional string` Timestamp in ISO format - `version: optional string` WARP client version - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/commands/devices \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "devices": [ { "deviceId": "deviceId", "deviceName": "deviceName", "eligible": true, "ineligibleReason": "ineligibleReason", "personEmail": "personEmail", "platform": "windows", "registrationId": "registrationId", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Device List Response - `DeviceListResponse { devices }` - `devices: optional array of { deviceId, deviceName, eligible, 7 more }` List of eligible devices - `deviceId: optional string` Device identifier (UUID v4) - `deviceName: optional string` Device identifier (human readable) - `eligible: optional boolean` Whether the device is eligible for remote captures - `ineligibleReason: optional string` If the device is not eligible, the reason why. - `personEmail: optional string` User contact email address - `platform: optional string` Operating system - `registrationId: optional string` Device registration identifier (UUID v4). On multi-user devices, this uniquely identifies a user's registration on the device. - `status: optional string` Network status - `timestamp: optional string` Timestamp in ISO format - `version: optional string` WARP client version # Downloads ## Download command output file **get** `/accounts/{account_id}/dex/commands/{command_id}/downloads/{filename}` Downloads artifacts for an executed command. Bulk downloads are not supported ### Path Parameters - `account_id: string` - `command_id: string` Unique identifier for a command - `filename: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/commands/$COMMAND_ID/downloads/$FILENAME \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` # Quota ## Returns account commands usage, quota, and reset time **get** `/accounts/{account_id}/dex/commands/quota` Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { quota, quota_usage, reset_time }` - `quota: number` The remaining number of commands that can be initiated for an account - `quota_usage: number` The number of commands that have been initiated for an account - `reset_time: string` The time when the quota resets - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/commands/quota \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "quota": 0, "quota_usage": 0, "reset_time": "2019-12-27T18:11:19.117Z" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Quota Get Response - `QuotaGetResponse { quota, quota_usage, reset_time }` - `quota: number` The remaining number of commands that can be initiated for an account - `quota_usage: number` The number of commands that have been initiated for an account - `reset_time: string` The time when the quota resets # Colos ## List Cloudflare colos **get** `/accounts/{account_id}/dex/colos` List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically. ### Path Parameters - `account_id: string` ### Query Parameters - `from: string` Start time for connection period in ISO (RFC3339 - ISO 8601) format - `to: string` End time for connection period in ISO (RFC3339 - ISO 8601) format - `sortBy: optional "fleet-status-usage" or "application-tests-usage"` Type of usage that colos should be sorted by. If unspecified, returns all Cloudflare colos sorted alphabetically. - `"fleet-status-usage"` - `"application-tests-usage"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { airportCode, city, countryCode }` array of colos. - `airportCode: string` Airport code - `city: string` City - `countryCode: string` Country code ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/colos \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "airportCode": "SFO", "city": "San Francisco", "countryCode": "US" } ] } ``` ## Domain Types ### Colo List Response - `ColoListResponse { airportCode, city, countryCode }` - `airportCode: string` Airport code - `city: string` City - `countryCode: string` Country code # Fleet Status ## List fleet status details by dimension **get** `/accounts/{account_id}/dex/fleet-status/live` List details for live (up to 60 minutes) devices using WARP ### Path Parameters - `account_id: string` ### Query Parameters - `since_minutes: number` Number of minutes before current time ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { deviceStats }` - `deviceStats: optional { byColo, byMode, byPlatform, 3 more }` - `byColo: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byMode: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byPlatform: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byStatus: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byVersion: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `uniqueDevicesTotal: optional number` Number of unique devices ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/fleet-status/live \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byColo": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byMode": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byPlatform": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "byVersion": [ { "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } } } ``` ## List fleet status aggregate details by dimension **get** `/accounts/{account_id}/dex/fleet-status/over-time` List details for devices using WARP, up to 7 days ### Path Parameters - `account_id: string` ### Query Parameters - `from: string` Time range beginning in ISO format - `to: string` Time range end in ISO format - `colo: optional string` Cloudflare colo - `device_id: optional string` Device-specific ID, given as UUID v4 ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { deviceStats }` - `deviceStats: optional { byMode, byStatus, uniqueDevicesTotal }` - `byMode: optional array of { timestamp, uniqueDevicesTotal, value }` - `timestamp: optional string` Timestamp in ISO format - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byStatus: optional array of { timestamp, uniqueDevicesTotal, value }` - `timestamp: optional string` Timestamp in ISO format - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `uniqueDevicesTotal: optional number` Number of unique devices - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/fleet-status/over-time \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "deviceStats": { "byMode": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "byStatus": [ { "timestamp": "2023-10-11T00:00:00Z", "uniqueDevicesTotal": 0, "value": "value" } ], "uniqueDevicesTotal": 0 } }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Live Stat - `LiveStat { uniqueDevicesTotal, value }` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` ### Fleet Status Live Response - `FleetStatusLiveResponse { deviceStats }` - `deviceStats: optional { byColo, byMode, byPlatform, 3 more }` - `byColo: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byMode: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byPlatform: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byStatus: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byVersion: optional array of LiveStat` - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `uniqueDevicesTotal: optional number` Number of unique devices ### Fleet Status Over Time Response - `FleetStatusOverTimeResponse { deviceStats }` - `deviceStats: optional { byMode, byStatus, uniqueDevicesTotal }` - `byMode: optional array of { timestamp, uniqueDevicesTotal, value }` - `timestamp: optional string` Timestamp in ISO format - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `byStatus: optional array of { timestamp, uniqueDevicesTotal, value }` - `timestamp: optional string` Timestamp in ISO format - `uniqueDevicesTotal: optional number` Number of unique devices - `value: optional string` - `uniqueDevicesTotal: optional number` Number of unique devices # Devices ## List fleet status devices **get** `/accounts/{account_id}/dex/fleet-status/devices` List details for devices using WARP ### Path Parameters - `account_id: string` ### Query Parameters - `from: string` Time range beginning in ISO format - `page: number` Page number - `per_page: number` Number of results per page - `to: string` Time range end in ISO format - `colo: optional string` Cloudflare colo - `device_id: optional string` Device-specific ID, given as UUID v4 - `mode: optional string` The mode under which the WARP client is run - `platform: optional string` Operating system - `sort_by: optional "colo" or "device_id" or "mode" or 4 more` Dimension to sort results by - `"colo"` - `"device_id"` - `"mode"` - `"platform"` - `"status"` - `"timestamp"` - `"version"` - `source: optional "last_seen" or "hourly" or "raw"` Source: * `hourly` - device details aggregated hourly, up to 7 days prior * `last_seen` - device details, up to 60 minutes prior * `raw` - device details, up to 7 days prior - `"last_seen"` - `"hourly"` - `"raw"` - `status: optional string` Network status - `version: optional string` WARP client version ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { colo, deviceId, mode, 35 more }` - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn: optional boolean` - `batteryCharging: optional boolean` - `batteryCycles: optional number` - `batteryPct: optional number` - `connectionType: optional string` - `cpuPct: optional number` - `cpuPctByApp: optional array of array of { cpu_pct, name }` - `cpu_pct: optional number` - `name: optional string` - `deviceIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceName: optional string` Device identifier (human readable) - `diskReadBps: optional number` - `diskUsagePct: optional number` - `diskWriteBps: optional number` - `dohSubdomain: optional string` - `estimatedLossPct: optional number` - `firewallEnabled: optional boolean` - `gatewayIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `gatewayIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `handshakeLatencyMs: optional number` - `ispIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `ispIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `metal: optional string` - `networkRcvdBps: optional number` - `networkSentBps: optional number` - `networkSsid: optional string` - `personEmail: optional string` User contact email address - `ramAvailableKb: optional number` - `ramUsedPct: optional number` - `ramUsedPctByApp: optional array of array of { name, ram_used_pct }` - `name: optional string` - `ram_used_pct: optional number` - `switchLocked: optional boolean` - `wifiStrengthDbm: optional number` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/fleet-status/devices \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "colo": "SJC", "deviceId": "deviceId", "mode": "proxy", "platform": "windows", "status": "connected", "timestamp": "2023-10-11T00:00:00Z", "version": "1.0.0", "alwaysOn": true, "batteryCharging": true, "batteryCycles": 0, "batteryPct": 0, "connectionType": "connectionType", "cpuPct": 0, "cpuPctByApp": [ [ { "cpu_pct": 0, "name": "name" } ] ], "deviceIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "deviceName": "deviceName", "diskReadBps": 0, "diskUsagePct": 0, "diskWriteBps": 0, "dohSubdomain": "dohSubdomain", "estimatedLossPct": 0, "firewallEnabled": true, "gatewayIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "gatewayIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "handshakeLatencyMs": 0, "ispIpv4": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "ispIpv6": { "address": "address", "asn": 0, "aso": "aso", "location": { "city": "city", "country_iso": "country_iso", "state_iso": "state_iso", "zip": "zip" }, "netmask": "netmask", "version": "version" }, "metal": "metal", "networkRcvdBps": 0, "networkSentBps": 0, "networkSsid": "networkSsid", "personEmail": "personEmail", "ramAvailableKb": 0, "ramUsedPct": 0, "ramUsedPctByApp": [ [ { "name": "name", "ram_used_pct": 0 } ] ], "switchLocked": true, "wifiStrengthDbm": 0 } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Device List Response - `DeviceListResponse { colo, deviceId, mode, 35 more }` - `colo: string` Cloudflare colo - `deviceId: string` Device identifier (UUID v4) - `mode: string` The mode under which the WARP client is run - `platform: string` Operating system - `status: string` Network status - `timestamp: string` Timestamp in ISO format - `version: string` WARP client version - `alwaysOn: optional boolean` - `batteryCharging: optional boolean` - `batteryCycles: optional number` - `batteryPct: optional number` - `connectionType: optional string` - `cpuPct: optional number` - `cpuPctByApp: optional array of array of { cpu_pct, name }` - `cpu_pct: optional number` - `name: optional string` - `deviceIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `deviceName: optional string` Device identifier (human readable) - `diskReadBps: optional number` - `diskUsagePct: optional number` - `diskWriteBps: optional number` - `dohSubdomain: optional string` - `estimatedLossPct: optional number` - `firewallEnabled: optional boolean` - `gatewayIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `gatewayIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `handshakeLatencyMs: optional number` - `ispIpv4: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `ispIpv6: optional { address, asn, aso, 3 more }` - `address: optional string` - `asn: optional number` - `aso: optional string` - `location: optional { city, country_iso, state_iso, zip }` - `city: optional string` - `country_iso: optional string` - `state_iso: optional string` - `zip: optional string` - `netmask: optional string` - `version: optional string` - `metal: optional string` - `networkRcvdBps: optional number` - `networkSentBps: optional number` - `networkSsid: optional string` - `personEmail: optional string` User contact email address - `ramAvailableKb: optional number` - `ramUsedPct: optional number` - `ramUsedPctByApp: optional array of array of { name, ram_used_pct }` - `name: optional string` - `ram_used_pct: optional number` - `switchLocked: optional boolean` - `wifiStrengthDbm: optional number` # HTTP Tests ## Get details and aggregate metrics for an http test **get** `/accounts/{account_id}/dex/http-tests/{test_id}` Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days. ### Path Parameters - `account_id: string` - `test_id: string` API Resource UUID tag. ### Query Parameters - `from: string` Start time for aggregate metrics in ISO ms - `interval: "minute" or "hour"` Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: string` End time for aggregate metrics in ISO ms - `colo: optional string` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId: optional array of string` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional HTTPDetails` - `host: optional string` The url of the HTTP synthetic application test - `httpStats: optional { availabilityPct, dnsResponseTimeMs, httpStatusCode, 3 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `dnsResponseTimeMs: TestStatOverTime` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `httpStatusCode: array of { status200, status300, status400, 2 more }` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `httpStatsByColo: optional array of { availabilityPct, colo, dnsResponseTimeMs, 4 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `colo: string` - `dnsResponseTimeMs: TestStatOverTime` - `httpStatusCode: array of { status200, status300, status400, 2 more }` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `interval: optional string` The interval at which the HTTP synthetic application test is set to run. - `kind: optional "http"` - `"http"` - `method: optional string` The HTTP method to use when running the test - `name: optional string` The name of the HTTP synthetic application test - `target_policies: optional array of DigitalExperienceMonitor` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted: optional boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/http-tests/$TEST_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "http://example.com", "httpStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "httpStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "dnsResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "httpStatusCode": [ { "status200": 0, "status300": 0, "status400": 0, "status500": 0, "timestamp": "2023-07-16 15:00:00+00" } ], "resourceFetchTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "serverResponseTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ], "interval": "0h5m0s", "kind": "http", "method": "GET", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true } } ``` ## Domain Types ### HTTP Details - `HTTPDetails { host, httpStats, httpStatsByColo, 6 more }` - `host: optional string` The url of the HTTP synthetic application test - `httpStats: optional { availabilityPct, dnsResponseTimeMs, httpStatusCode, 3 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `dnsResponseTimeMs: TestStatOverTime` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `httpStatusCode: array of { status200, status300, status400, 2 more }` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `httpStatsByColo: optional array of { availabilityPct, colo, dnsResponseTimeMs, 4 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `colo: string` - `dnsResponseTimeMs: TestStatOverTime` - `httpStatusCode: array of { status200, status300, status400, 2 more }` - `status200: number` - `status300: number` - `status400: number` - `status500: number` - `timestamp: string` - `resourceFetchTimeMs: TestStatOverTime` - `serverResponseTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `interval: optional string` The interval at which the HTTP synthetic application test is set to run. - `kind: optional "http"` - `"http"` - `method: optional string` The HTTP method to use when running the test - `name: optional string` The name of the HTTP synthetic application test - `target_policies: optional array of DigitalExperienceMonitor` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted: optional boolean` # Percentiles ## Get percentiles for an http test **get** `/accounts/{account_id}/dex/http-tests/{test_id}/percentiles` Get percentiles for an http test for a given time period between 1 hour and 7 days. ### Path Parameters - `account_id: string` - `test_id: string` API Resource UUID tag. ### Query Parameters - `from: string` Start time for the query in ISO (RFC3339 - ISO 8601) format - `to: string` End time for the query in ISO (RFC3339 - ISO 8601) format - `colo: optional string` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId: optional array of string` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional HTTPDetailsPercentiles` - `dnsResponseTimeMs: optional Percentiles` - `p50: optional number` p50 observed in the time period - `p90: optional number` p90 observed in the time period - `p95: optional number` p95 observed in the time period - `p99: optional number` p99 observed in the time period - `resourceFetchTimeMs: optional Percentiles` - `serverResponseTimeMs: optional Percentiles` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/http-tests/$TEST_ID/percentiles \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dnsResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "resourceFetchTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "serverResponseTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Domain Types ### HTTP Details Percentiles - `HTTPDetailsPercentiles { dnsResponseTimeMs, resourceFetchTimeMs, serverResponseTimeMs }` - `dnsResponseTimeMs: optional Percentiles` - `p50: optional number` p50 observed in the time period - `p90: optional number` p90 observed in the time period - `p95: optional number` p95 observed in the time period - `p99: optional number` p99 observed in the time period - `resourceFetchTimeMs: optional Percentiles` - `serverResponseTimeMs: optional Percentiles` ### Test Stat Over Time - `TestStatOverTime { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period # Tests ## List DEX test analytics **get** `/accounts/{account_id}/dex/tests/overview` List DEX tests with overview metrics ### Path Parameters - `account_id: string` ### Query Parameters - `colo: optional string` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId: optional array of string` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `kind: optional "http" or "traceroute"` Filter by test type - `"http"` - `"traceroute"` - `page: optional number` Page number of paginated results - `per_page: optional number` Number of items per page - `testName: optional string` Optionally filter results by test name ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Tests` - `overviewMetrics: { testsTotal, avgHttpAvailabilityPct, avgTracerouteAvailabilityPct }` - `testsTotal: number` number of tests. - `avgHttpAvailabilityPct: optional number` percentage availability for all HTTP test results in response - `avgTracerouteAvailabilityPct: optional number` percentage availability for all traceroutes results in response - `tests: array of { id, created, description, 13 more }` array of test results objects. - `id: string` API Resource UUID tag. - `created: string` date the test was created. - `description: string` the test description defined during configuration - `enabled: boolean` if true, then the test will run on targeted devices. Else, the test will not run. - `host: string` - `interval: string` The interval at which the synthetic application test is set to run. - `kind: "http" or "traceroute"` test type, http or traceroute - `"http"` - `"traceroute"` - `name: string` name given to this test - `updated: string` - `httpResults: optional { resourceFetchTime }` - `resourceFetchTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `units: "hours" or "days" or "testRuns"` - `"hours"` - `"days"` - `"testRuns"` - `value: number` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` - `httpResultsByColo: optional array of { colo, resourceFetchTime }` - `colo: string` Cloudflare colo - `resourceFetchTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` - `method: optional string` for HTTP, the method to use when running the test - `target_policies: optional array of DigitalExperienceMonitor` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted: optional boolean` - `tracerouteResults: optional { roundTripTime }` - `roundTripTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` - `tracerouteResultsByColo: optional array of { colo, roundTripTime }` - `colo: string` Cloudflare colo - `roundTripTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/tests/overview \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "overviewMetrics": { "testsTotal": 0, "avgHttpAvailabilityPct": 0, "avgTracerouteAvailabilityPct": 0 }, "tests": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created": "created", "description": "description", "enabled": true, "host": "host", "interval": "interval", "kind": "http", "name": "name", "updated": "updated", "httpResults": { "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "httpResultsByColo": [ { "colo": "SJC", "resourceFetchTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ], "method": "method", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteResults": { "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } }, "tracerouteResultsByColo": [ { "colo": "SJC", "roundTripTime": { "history": [ { "timePeriod": { "units": "hours", "value": 0 }, "avgMs": 0, "deltaPct": 0 } ], "avgMs": 0, "overTime": { "timePeriod": { "units": "hours", "value": 0 }, "values": [ { "avgMs": 0, "timestamp": "timestamp" } ] } } } ] } ] } } ``` ## Domain Types ### Aggregate Time Period - `AggregateTimePeriod { units, value }` - `units: "hours" or "days" or "testRuns"` - `"hours"` - `"days"` - `"testRuns"` - `value: number` ### Tests - `Tests { overviewMetrics, tests }` - `overviewMetrics: { testsTotal, avgHttpAvailabilityPct, avgTracerouteAvailabilityPct }` - `testsTotal: number` number of tests. - `avgHttpAvailabilityPct: optional number` percentage availability for all HTTP test results in response - `avgTracerouteAvailabilityPct: optional number` percentage availability for all traceroutes results in response - `tests: array of { id, created, description, 13 more }` array of test results objects. - `id: string` API Resource UUID tag. - `created: string` date the test was created. - `description: string` the test description defined during configuration - `enabled: boolean` if true, then the test will run on targeted devices. Else, the test will not run. - `host: string` - `interval: string` The interval at which the synthetic application test is set to run. - `kind: "http" or "traceroute"` test type, http or traceroute - `"http"` - `"traceroute"` - `name: string` name given to this test - `updated: string` - `httpResults: optional { resourceFetchTime }` - `resourceFetchTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `units: "hours" or "days" or "testRuns"` - `"hours"` - `"days"` - `"testRuns"` - `value: number` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` - `httpResultsByColo: optional array of { colo, resourceFetchTime }` - `colo: string` Cloudflare colo - `resourceFetchTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` - `method: optional string` for HTTP, the method to use when running the test - `target_policies: optional array of DigitalExperienceMonitor` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted: optional boolean` - `tracerouteResults: optional { roundTripTime }` - `roundTripTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` - `tracerouteResultsByColo: optional array of { colo, roundTripTime }` - `colo: string` Cloudflare colo - `roundTripTime: { history, avgMs, overTime }` - `history: array of { timePeriod, avgMs, deltaPct }` - `timePeriod: AggregateTimePeriod` - `avgMs: optional number` - `deltaPct: optional number` - `avgMs: optional number` - `overTime: optional { timePeriod, values }` - `timePeriod: AggregateTimePeriod` - `values: array of { avgMs, timestamp }` - `avgMs: number` - `timestamp: string` # Unique Devices ## Get count of devices targeted **get** `/accounts/{account_id}/dex/tests/unique-devices` Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days. ### Path Parameters - `account_id: string` ### Query Parameters - `deviceId: optional array of string` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. - `testName: optional string` Optionally filter results by test name ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional UniqueDevices` - `uniqueDevicesTotal: number` total number of unique devices ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/tests/unique-devices \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "uniqueDevicesTotal": 0 } } ``` ## Domain Types ### Unique Devices - `UniqueDevices { uniqueDevicesTotal }` - `uniqueDevicesTotal: number` total number of unique devices # Traceroute Test Results # Network Path ## Get details for a specific traceroute test run **get** `/accounts/{account_id}/dex/traceroute-test-results/{test_result_id}/network-path` Get a breakdown of hops and performance metrics for a specific traceroute test run ### Path Parameters - `account_id: string` - `test_result_id: string` API Resource UUID tag. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { hops, resultId, deviceName, 2 more }` - `hops: array of { ttl, asn, aso, 6 more }` an array of the hops taken by the device to reach the end destination - `ttl: number` - `asn: optional number` - `aso: optional string` - `ipAddress: optional string` - `location: optional { city, state, zip }` - `city: optional string` - `state: optional string` - `zip: optional string` - `mile: optional "client-to-app" or "client-to-cf-egress" or "client-to-cf-ingress" or "client-to-isp"` - `"client-to-app"` - `"client-to-cf-egress"` - `"client-to-cf-ingress"` - `"client-to-isp"` - `name: optional string` - `packetLossPct: optional number` - `rttMs: optional number` - `resultId: string` API Resource UUID tag. - `deviceName: optional string` name of the device associated with this network path response - `testId: optional string` API Resource UUID tag. - `testName: optional string` name of the tracroute test ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/traceroute-test-results/$TEST_RESULT_ID/network-path \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hops": [ { "ttl": 0, "asn": 0, "aso": "aso", "ipAddress": "ipAddress", "location": { "city": "city", "state": "state", "zip": "zip" }, "mile": "client-to-app", "name": "name", "packetLossPct": 0, "rttMs": 0 } ], "resultId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "testId": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "testName": "testName" } } ``` ## Domain Types ### Network Path Get Response - `NetworkPathGetResponse { hops, resultId, deviceName, 2 more }` - `hops: array of { ttl, asn, aso, 6 more }` an array of the hops taken by the device to reach the end destination - `ttl: number` - `asn: optional number` - `aso: optional string` - `ipAddress: optional string` - `location: optional { city, state, zip }` - `city: optional string` - `state: optional string` - `zip: optional string` - `mile: optional "client-to-app" or "client-to-cf-egress" or "client-to-cf-ingress" or "client-to-isp"` - `"client-to-app"` - `"client-to-cf-egress"` - `"client-to-cf-ingress"` - `"client-to-isp"` - `name: optional string` - `packetLossPct: optional number` - `rttMs: optional number` - `resultId: string` API Resource UUID tag. - `deviceName: optional string` name of the device associated with this network path response - `testId: optional string` API Resource UUID tag. - `testName: optional string` name of the tracroute test # Traceroute Tests ## Get details and aggregate metrics for a traceroute test **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}` Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days. ### Path Parameters - `account_id: string` - `test_id: string` API Resource UUID tag. ### Query Parameters - `from: string` Start time for aggregate metrics in ISO ms - `interval: "minute" or "hour"` Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: string` End time for aggregate metrics in ISO ms - `colo: optional string` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId: optional array of string` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Traceroute` - `host: string` The host of the Traceroute synthetic application test - `interval: string` The interval at which the Traceroute synthetic application test is set to run. - `kind: "traceroute"` - `"traceroute"` - `name: string` The name of the Traceroute synthetic application test - `target_policies: optional array of DigitalExperienceMonitor` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted: optional boolean` - `tracerouteStats: optional { availabilityPct, hopsCount, packetLossPct, 2 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `hopsCount: TestStatOverTime` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `packetLossPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `tracerouteStatsByColo: optional array of { availabilityPct, colo, hopsCount, 3 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `colo: string` - `hopsCount: TestStatOverTime` - `packetLossPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/traceroute-tests/$TEST_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "host": "1.1.1.1", "interval": "0h5m0s", "kind": "traceroute", "name": "Atlassian Sign In Page", "target_policies": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "default": true, "name": "name" } ], "targeted": true, "tracerouteStats": { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 }, "tracerouteStatsByColo": [ { "availabilityPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "colo": "DFW", "hopsCount": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "packetLossPct": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "roundTripTimeMs": { "slots": [ { "timestamp": "2023-07-16 15:00:00+00", "value": 0 } ], "avg": 0, "max": 0, "min": 0 }, "uniqueDevicesTotal": 57 } ] } } ``` ## Get percentiles for a traceroute test **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/percentiles` Get percentiles for a traceroute test for a given time period between 1 hour and 7 days. ### Path Parameters - `account_id: string` - `test_id: string` API Resource UUID tag. ### Query Parameters - `from: string` Start time for the query in ISO (RFC3339 - ISO 8601) format - `to: string` End time for the query in ISO (RFC3339 - ISO 8601) format - `colo: optional string` Optionally filter result stats to a Cloudflare colo. Cannot be used in combination with deviceId param. - `deviceId: optional array of string` Optionally filter result stats to a specific device(s). Cannot be used in combination with colo param. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { hopsCount, packetLossPct, roundTripTimeMs }` - `hopsCount: optional Percentiles` - `p50: optional number` p50 observed in the time period - `p90: optional number` p90 observed in the time period - `p95: optional number` p95 observed in the time period - `p99: optional number` p99 observed in the time period - `packetLossPct: optional Percentiles` - `roundTripTimeMs: optional Percentiles` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/traceroute-tests/$TEST_ID/percentiles \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "hopsCount": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "packetLossPct": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "roundTripTimeMs": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 } } } ``` ## Get network path breakdown for a traceroute test **get** `/accounts/{account_id}/dex/traceroute-tests/{test_id}/network-path` Get a breakdown of metrics by hop for individual traceroute test runs ### Path Parameters - `account_id: string` - `test_id: string` API Resource UUID tag. ### Query Parameters - `deviceId: string` Device to filter tracroute result runs to - `from: string` Start time for aggregate metrics in ISO ms - `interval: "minute" or "hour"` Time interval for aggregate time slots. - `"minute"` - `"hour"` - `to: string` End time for aggregate metrics in ISO ms ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional NetworkPathResponse` - `id: string` API Resource UUID tag. - `deviceName: optional string` - `interval: optional string` The interval at which the Traceroute synthetic application test is set to run. - `kind: optional "traceroute"` - `"traceroute"` - `name: optional string` - `networkPath: optional NetworkPath` - `slots: array of { id, clientToAppRttMs, clientToCfEgressRttMs, 3 more }` - `id: string` API Resource UUID tag. - `clientToAppRttMs: number` Round trip time in ms of the client to app mile - `clientToCfEgressRttMs: number` Round trip time in ms of the client to Cloudflare egress mile - `clientToCfIngressRttMs: number` Round trip time in ms of the client to Cloudflare ingress mile - `timestamp: string` - `clientToIspRttMs: optional number` Round trip time in ms of the client to ISP mile - `sampling: optional { unit, value }` Specifies the sampling applied, if any, to the slots response. When sampled, results shown represent the first test run to the start of each sampling interval. - `unit: "hours"` - `"hours"` - `value: number` - `url: optional string` The host of the Traceroute synthetic application test ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/traceroute-tests/$TEST_ID/network-path \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "deviceName": "deviceName", "interval": "0h5m0s", "kind": "traceroute", "name": "name", "networkPath": { "slots": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "clientToAppRttMs": 0, "clientToCfEgressRttMs": 0, "clientToCfIngressRttMs": 0, "timestamp": "2023-07-16 15:00:00+00", "clientToIspRttMs": 0 } ], "sampling": { "unit": "hours", "value": 0 } }, "url": "1.1.1.1" } } ``` ## Domain Types ### Traceroute - `Traceroute { host, interval, kind, 5 more }` - `host: string` The host of the Traceroute synthetic application test - `interval: string` The interval at which the Traceroute synthetic application test is set to run. - `kind: "traceroute"` - `"traceroute"` - `name: string` The name of the Traceroute synthetic application test - `target_policies: optional array of DigitalExperienceMonitor` - `id: string` API Resource UUID tag. - `default: boolean` Whether the policy is the default for the account - `name: string` - `targeted: optional boolean` - `tracerouteStats: optional { availabilityPct, hopsCount, packetLossPct, 2 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `hopsCount: TestStatOverTime` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `packetLossPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period - `tracerouteStatsByColo: optional array of { availabilityPct, colo, hopsCount, 3 more }` - `availabilityPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `colo: string` - `hopsCount: TestStatOverTime` - `packetLossPct: { slots, avg, max, min }` - `slots: array of { timestamp, value }` - `timestamp: string` - `value: number` - `avg: optional number` average observed in the time period - `max: optional number` highest observed in the time period - `min: optional number` lowest observed in the time period - `roundTripTimeMs: TestStatOverTime` - `uniqueDevicesTotal: number` Count of unique devices that have run this test in the given time period ### Traceroute Test Percentiles Response - `TracerouteTestPercentilesResponse { hopsCount, packetLossPct, roundTripTimeMs }` - `hopsCount: optional Percentiles` - `p50: optional number` p50 observed in the time period - `p90: optional number` p90 observed in the time period - `p95: optional number` p95 observed in the time period - `p99: optional number` p99 observed in the time period - `packetLossPct: optional Percentiles` - `roundTripTimeMs: optional Percentiles` # Rules ## Get DEX Rule **get** `/accounts/{account_id}/dex/rules/{rule_id}` Get details for a DEX Rule ### Path Parameters - `account_id: string` - `rule_id: string` API Resource UUID tag. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/rules/$RULE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Delete a DEX Rule **delete** `/accounts/{account_id}/dex/rules/{rule_id}` Delete a DEX Rule ### Path Parameters - `account_id: string` - `rule_id: string` API Resource UUID tag. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/rules/$RULE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": true } ``` ## Update a DEX Rule **patch** `/accounts/{account_id}/dex/rules/{rule_id}` Update a DEX Rule ### Path Parameters - `account_id: string` - `rule_id: string` API Resource UUID tag. ### Body Parameters - `description: optional string` - `match: optional string` The wirefilter expression to match. - `name: optional string` The name of the Rule. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/rules/$RULE_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## Create a DEX Rule **post** `/accounts/{account_id}/dex/rules` Create a DEX Rule ### Path Parameters - `account_id: string` ### Body Parameters - `match: string` The wirefilter expression to match. - `name: string` The name of the Rule. - `description: optional string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/rules \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "match": "match", "name": "name" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } } ``` ## List DEX Rules **get** `/accounts/{account_id}/dex/rules` List DEX Rules ### Path Parameters - `account_id: string` ### Query Parameters - `page: number` Page number of paginated results - `per_page: number` Number of items per page - `name: optional string` Filter results by rule name - `sort_by: optional "name" or "created_at" or "updated_at"` Which property to sort results by - `"name"` - `"created_at"` - `"updated_at"` - `sort_order: optional "ASC" or "DESC"` Sort direction for sort_by property - `"ASC"` - `"DESC"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { rules }` - `rules: optional array of { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dex/rules \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "rules": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2023-07-16 15:00:00+00", "match": "match", "name": "name", "description": "description", "targeted_tests": [ { "data": { "host": "https://dash.cloudflare.com", "kind": "http", "method": "GET" }, "enabled": true, "name": "name", "test_id": "test_id" } ], "updated_at": "2023-07-16 15:00:00+00" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Rule Get Response - `RuleGetResponse { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` ### Rule Delete Response - `RuleDeleteResponse = boolean` ### Rule Update Response - `RuleUpdateResponse { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` ### Rule Create Response - `RuleCreateResponse { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` ### Rule List Response - `RuleListResponse { rules }` - `rules: optional array of { id, created_at, match, 4 more }` - `id: string` API Resource UUID tag. - `created_at: string` - `match: string` - `name: string` - `description: optional string` - `targeted_tests: optional array of { data, enabled, name, test_id }` - `data: { host, kind, method }` The configuration object which contains the details for the WARP client to conduct the test. - `host: string` The desired endpoint to test. - `kind: "http" or "traceroute"` The type of test. - `"http"` - `"traceroute"` - `method: optional "GET"` The HTTP request method type. - `"GET"` - `enabled: boolean` - `name: string` - `test_id: string` - `updated_at: optional string` # Tunnels ## List All Tunnels **get** `/accounts/{account_id}/tunnels` Lists and filters all types of Tunnels in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Query Parameters - `exclude_prefix: optional string` - `existed_at: optional string` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix: optional string` - `is_deleted: optional boolean` If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name: optional string` A user-friendly name for the tunnel. - `page: optional number` Page number of paginated results. - `per_page: optional number` Number of results to display. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_types: optional array of "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The types of tunnels to filter by, separated by commas. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `uuid: optional string` UUID of the tunnel. - `was_active_at: optional string` - `was_inactive_at: optional string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of CloudflareTunnel or { id, account_tag, connections, 8 more }` - `CloudflareTunnel { id, account_tag, config_src, 10 more }` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `remote_config: optional boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `TunnelWARPConnectorTunnel { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Connection - `Connection { colo_name, is_pending_reconnect, uuid }` - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. ### Tunnel List Response - `TunnelListResponse = CloudflareTunnel or { id, account_tag, connections, 8 more }` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `CloudflareTunnel { id, account_tag, config_src, 10 more }` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `remote_config: optional boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `TunnelWARPConnectorTunnel { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` # Cloudflared ## List Cloudflare Tunnels **get** `/accounts/{account_id}/cfd_tunnel` Lists and filters Cloudflare Tunnels in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Query Parameters - `exclude_prefix: optional string` - `existed_at: optional string` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix: optional string` - `is_deleted: optional boolean` If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name: optional string` A user-friendly name for a tunnel. - `page: optional number` Page number of paginated results. - `per_page: optional number` Number of results to display. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `uuid: optional string` UUID of the tunnel. - `was_active_at: optional string` - `was_inactive_at: optional string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of CloudflareTunnel` - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `remote_config: optional boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Cloudflare Tunnel **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Fetches a single Cloudflare Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `remote_config: optional boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Cloudflare Tunnel **post** `/accounts/{account_id}/cfd_tunnel` Creates a new Cloudflare Tunnel in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Body Parameters - `name: string` A user-friendly name for a tunnel. - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_secret: optional string` Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `remote_config: optional boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "blog", "config_src": "cloudflare", "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Cloudflare Tunnel **patch** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Updates an existing Cloudflare Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Body Parameters - `name: optional string` A user-friendly name for a tunnel. - `tunnel_secret: optional string` Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `remote_config: optional boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "blog", "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Cloudflare Tunnel **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}` Deletes a Cloudflare Tunnel from an account. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: CloudflareTunnel` A Cloudflare Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `config_src: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `remote_config: optional boolean` If `true`, the tunnel can be configured remotely from the Zero Trust dashboard. If `false`, the tunnel must be configured locally on the origin machine. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "config_src": "cloudflare", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "remote_config": true, "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` # Configurations ## Get configuration **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Gets the configuration for a remotely-managed tunnel ### Path Parameters - `account_id: string` Identifier. - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { account_id, config, created_at, 3 more }` Cloudflare Tunnel configuration - `account_id: optional string` Identifier. - `config: optional { ingress, originRequest }` The tunnel configuration and ingress rules. - `ingress: optional array of { hostname, service, originRequest, path }` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: optional string` Requests with this path route to this public hostname. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: optional string` - `source: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: optional string` UUID of the tunnel. - `version: optional number` The version of the Tunnel Configuration. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/configurations \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` ## Put configuration **put** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/configurations` Adds or updates the configuration for a remotely-managed tunnel. ### Path Parameters - `account_id: string` Identifier. - `tunnel_id: string` UUID of the tunnel. ### Body Parameters - `config: optional { ingress, originRequest }` The tunnel configuration and ingress rules. - `ingress: optional array of { hostname, service, originRequest, path }` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: optional string` Requests with this path route to this public hostname. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { account_id, config, created_at, 3 more }` Cloudflare Tunnel configuration - `account_id: optional string` Identifier. - `config: optional { ingress, originRequest }` The tunnel configuration and ingress rules. - `ingress: optional array of { hostname, service, originRequest, path }` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: optional string` Requests with this path route to this public hostname. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: optional string` - `source: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: optional string` UUID of the tunnel. - `version: optional number` The version of the Tunnel Configuration. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/configurations \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "account_id": "023e105f4ecef8ad9ca31a8372d0c353", "config": { "ingress": [ { "hostname": "tunnel.example.com", "service": "https://localhost:8001", "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "path": "subpath" } ], "originRequest": { "access": { "audTag": [ "string" ], "teamName": "zero-trust-organization-name", "required": false }, "caPool": "caPool", "connectTimeout": 10, "disableChunkedEncoding": true, "http2Origin": true, "httpHostHeader": "httpHostHeader", "keepAliveConnections": 100, "keepAliveTimeout": 90, "matchSNItoHost": false, "noHappyEyeballs": false, "noTLSVerify": false, "originServerName": "originServerName", "proxyType": "proxyType", "tcpKeepAlive": 30, "tlsTimeout": 10 }, "warp-routing": { "enabled": true } }, "created_at": "2014-01-01T05:20:00.12345Z", "source": "cloudflare", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "version": 0 } } ``` ## Domain Types ### Configuration Get Response - `ConfigurationGetResponse { account_id, config, created_at, 3 more }` Cloudflare Tunnel configuration - `account_id: optional string` Identifier. - `config: optional { ingress, originRequest }` The tunnel configuration and ingress rules. - `ingress: optional array of { hostname, service, originRequest, path }` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: optional string` Requests with this path route to this public hostname. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: optional string` - `source: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: optional string` UUID of the tunnel. - `version: optional number` The version of the Tunnel Configuration. ### Configuration Update Response - `ConfigurationUpdateResponse { account_id, config, created_at, 3 more }` Cloudflare Tunnel configuration - `account_id: optional string` Identifier. - `config: optional { ingress, originRequest }` The tunnel configuration and ingress rules. - `ingress: optional array of { hostname, service, originRequest, path }` List of public hostname definitions. At least one ingress rule needs to be defined for the tunnel. - `hostname: string` Public hostname for this service. - `service: string` Protocol and address of destination server. Supported protocols: http://, https://, unix://, tcp://, ssh://, rdp://, unix+tls://, smb://. Alternatively can return a HTTP status code http_status:[code] e.g. 'http_status:404'. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `path: optional string` Requests with this path route to this public hostname. - `originRequest: optional { access, caPool, connectTimeout, 12 more }` Configuration parameters for the public hostname specific connection settings between cloudflared and origin server. - `access: optional { audTag, teamName, required }` For all L7 requests to this hostname, cloudflared will validate each request's Cf-Access-Jwt-Assertion request header. - `audTag: array of string` Access applications that are allowed to reach this hostname for this Tunnel. Audience tags can be identified in the dashboard or via the List Access policies API. - `teamName: string` - `required: optional boolean` Deny traffic that has not fulfilled Access authorization. - `caPool: optional string` Path to the certificate authority (CA) for the certificate of your origin. This option should be used only if your certificate is not signed by Cloudflare. - `connectTimeout: optional number` Timeout for establishing a new TCP connection to your origin server. This excludes the time taken to establish TLS, which is controlled by tlsTimeout. - `disableChunkedEncoding: optional boolean` Disables chunked transfer encoding. Useful if you are running a WSGI server. - `http2Origin: optional boolean` Attempt to connect to origin using HTTP2. Origin must be configured as https. - `httpHostHeader: optional string` Sets the HTTP Host header on requests sent to the local service. - `keepAliveConnections: optional number` Maximum number of idle keepalive connections between Tunnel and your origin. This does not restrict the total number of concurrent connections. - `keepAliveTimeout: optional number` Timeout after which an idle keepalive connection can be discarded. - `matchSNItoHost: optional boolean` Auto configure the Hostname on the origin server certificate. - `noHappyEyeballs: optional boolean` Disable the “happy eyeballs” algorithm for IPv4/IPv6 fallback if your local network has misconfigured one of the protocols. - `noTLSVerify: optional boolean` Disables TLS verification of the certificate presented by your origin. Will allow any certificate from the origin to be accepted. - `originServerName: optional string` Hostname that cloudflared should expect from your origin server certificate. - `proxyType: optional string` cloudflared starts a proxy server to translate HTTP traffic into TCP when proxying, for example, SSH or RDP. This configures what type of proxy will be started. Valid options are: "" for the regular proxy and "socks" for a SOCKS5 proxy. - `tcpKeepAlive: optional number` The timeout after which a TCP keepalive packet is sent on a connection between Tunnel and the origin server. - `tlsTimeout: optional number` Timeout for completing a TLS handshake to your origin server, if you have chosen to connect Tunnel to an HTTPS server. - `created_at: optional string` - `source: optional "local" or "cloudflare"` Indicates if this is a locally or remotely configured tunnel. If `local`, manage the tunnel using a YAML file on the origin machine. If `cloudflare`, manage the tunnel's configuration on the Zero Trust dashboard. - `"local"` - `"cloudflare"` - `tunnel_id: optional string` UUID of the tunnel. - `version: optional number` The version of the Tunnel Configuration. # Connections ## List Cloudflare Tunnel connections **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Fetches connection details for a Cloudflare Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of Client` - `id: optional string` UUID of the Cloudflare Tunnel connection. - `arch: optional string` The cloudflared OS architecture used to establish this connection. - `config_version: optional number` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `features: optional array of string` Features enabled for the Cloudflare Tunnel. - `run_at: optional string` Timestamp of when the tunnel connection was started. - `version: optional string` The cloudflared version used to establish this connection. - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Clean up Cloudflare Tunnel connections **delete** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections` Removes a connection (aka Cloudflare Tunnel Connector) from a Cloudflare Tunnel independently of its current state. If no connector id (client_id) is provided all connectors will be removed. We recommend running this command after rotating tokens. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Query Parameters - `client_id: optional string` UUID of the Cloudflare Tunnel connector. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: unknown` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Client - `Client { id, arch, config_version, 4 more }` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `arch: optional string` The cloudflared OS architecture used to establish this connection. - `config_version: optional number` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `features: optional array of string` Features enabled for the Cloudflare Tunnel. - `run_at: optional string` Timestamp of when the tunnel connection was started. - `version: optional string` The cloudflared version used to establish this connection. ### Connection Delete Response - `ConnectionDeleteResponse = unknown` # Token ## Get a Cloudflare Tunnel token **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/token` Gets the token used to associate cloudflared with a specific tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/token \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Token Get Response - `TokenGetResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # Connectors ## Get Cloudflare Tunnel connector **get** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a Cloudflare Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. - `connector_id: string` UUID of the Cloudflare Tunnel connector. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Client` A client (typically cloudflared) that maintains connections to a Cloudflare data center. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `arch: optional string` The cloudflared OS architecture used to establish this connection. - `config_version: optional number` The version of the remote tunnel configuration. Used internally to sync cloudflared with the Zero Trust dashboard. - `conns: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `features: optional array of string` Features enabled for the Cloudflare Tunnel. - `run_at: optional string` Timestamp of when the tunnel connection was started. - `version: optional string` The cloudflared version used to establish this connection. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connectors/$CONNECTOR_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "config_version": 0, "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "features": [ "ha-origin" ], "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` # Management ## Get a Cloudflare Tunnel management token **post** `/accounts/{account_id}/cfd_tunnel/{tunnel_id}/management` Gets a management token used to access the management resources (i.e. Streaming Logs) of a tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Body Parameters - `resources: array of "logs"` - `"logs"` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/management \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "resources": [ "logs" ] }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Management Create Response - `ManagementCreateResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # WARP Connector ## List Warp Connector Tunnels **get** `/accounts/{account_id}/warp_connector` Lists and filters Warp Connector Tunnels in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Query Parameters - `exclude_prefix: optional string` - `existed_at: optional string` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `include_prefix: optional string` - `is_deleted: optional boolean` If `true`, only include deleted tunnels. If `false`, exclude deleted tunnels. If empty, all tunnels will be included. - `name: optional string` A user-friendly name for the tunnel. - `page: optional number` Page number of paginated results. - `per_page: optional number` Number of results to display. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `uuid: optional string` UUID of the tunnel. - `was_active_at: optional string` - `was_inactive_at: optional string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of { id, account_tag, connections, 8 more }` - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a Warp Connector Tunnel **get** `/accounts/{account_id}/warp_connector/{tunnel_id}` Fetches a single Warp Connector Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector/$TUNNEL_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Create a Warp Connector Tunnel **post** `/accounts/{account_id}/warp_connector` Creates a new Warp Connector Tunnel in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Body Parameters - `name: string` A user-friendly name for a tunnel. - `ha: optional boolean` Indicates that the tunnel will be created to be highly available. If omitted, defaults to false. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "blog" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Update a Warp Connector Tunnel **patch** `/accounts/{account_id}/warp_connector/{tunnel_id}` Updates an existing Warp Connector Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Body Parameters - `name: optional string` A user-friendly name for a tunnel. - `tunnel_secret: optional string` Sets the password required to run a locally-managed tunnel. Must be at least 32 bytes and encoded as a base64 string. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector/$TUNNEL_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "blog", "tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg=" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Delete a Warp Connector Tunnel **delete** `/accounts/{account_id}/warp_connector/{tunnel_id}` Deletes a Warp Connector Tunnel from an account. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector/$TUNNEL_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "account_tag": "699d98642c564d2e855e9661899b7252", "connections": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "is_pending_reconnect": false, "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137", "uuid": "1bedc50d-42b3-473c-b108-ff3d10c0d925" } ], "conns_active_at": "2009-11-10T23:00:00Z", "conns_inactive_at": "2009-11-10T23:00:00Z", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "metadata": {}, "name": "blog", "status": "healthy", "tun_type": "cfd_tunnel" }, "success": true } ``` ## Domain Types ### WARP Connector List Response - `WARPConnectorListResponse { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Get Response - `WARPConnectorGetResponse { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Create Response - `WARPConnectorCreateResponse { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Edit Response - `WARPConnectorEditResponse { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` ### WARP Connector Delete Response - `WARPConnectorDeleteResponse { id, account_tag, connections, 8 more }` A Warp Connector Tunnel that connects your origin to Cloudflare's edge. - `id: optional string` UUID of the tunnel. - `account_tag: optional string` Cloudflare account ID - `connections: optional array of { id, client_id, client_version, 5 more }` The Cloudflare Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `is_pending_reconnect: optional boolean` Cloudflare continues to track connections for several minutes after they disconnect. This is an optimization to improve latency and reliability of reconnecting. If `true`, the connection has disconnected but is still being tracked. If `false`, the connection is actively serving traffic. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running cloudflared. - `uuid: optional string` UUID of the Cloudflare Tunnel connection. - `conns_active_at: optional string` Timestamp of when the tunnel established at least one connection to Cloudflare's edge. If `null`, the tunnel is inactive. - `conns_inactive_at: optional string` Timestamp of when the tunnel became inactive (no connections to Cloudflare's edge). If `null`, the tunnel is active. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `metadata: optional unknown` Metadata associated with the tunnel. - `name: optional string` A user-friendly name for a tunnel. - `status: optional "inactive" or "degraded" or "healthy" or "down"` The status of the tunnel. Valid values are `inactive` (tunnel has never been run), `degraded` (tunnel is active and able to serve traffic but in an unhealthy state), `healthy` (tunnel is active and able to serve traffic), or `down` (tunnel can not serve traffic as it has no connections to the Cloudflare Edge). - `"inactive"` - `"degraded"` - `"healthy"` - `"down"` - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` # Token ## Get a Warp Connector Tunnel token **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/token` Gets the token used to associate warp device with a specific Warp Connector tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector/$TUNNEL_ID/token \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": "eyJhIjoiNWFiNGU5Z...", "success": true } ``` ## Domain Types ### Token Get Response - `TokenGetResponse = string` The Tunnel Token is used as a mechanism to authenticate the operation of a tunnel. # Connections ## List WARP Connector Tunnel connections **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connections` Fetches connection details for a WARP Connector Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of { id, arch, conns, 4 more }` - `id: optional string` UUID of the Cloudflare Tunnel connector. - `arch: optional string` The cloudflared OS architecture used to establish this connection. - `conns: optional array of { id, client_id, client_version, 3 more }` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running WARP Connector. - `features: optional array of string` Features enabled for the Cloudflare Tunnel. - `ha_status: optional "offline" or "passive" or "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: optional string` Timestamp of when the tunnel connection was started. - `version: optional string` The cloudflared version used to establish this connection. - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector/$TUNNEL_ID/connections \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Connection Get Response - `ConnectionGetResponse { id, arch, conns, 4 more }` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id: optional string` UUID of the Cloudflare Tunnel connector. - `arch: optional string` The cloudflared OS architecture used to establish this connection. - `conns: optional array of { id, client_id, client_version, 3 more }` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running WARP Connector. - `features: optional array of string` Features enabled for the Cloudflare Tunnel. - `ha_status: optional "offline" or "passive" or "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: optional string` Timestamp of when the tunnel connection was started. - `version: optional string` The cloudflared version used to establish this connection. # Connectors ## Get WARP Connector Tunnel connector **get** `/accounts/{account_id}/warp_connector/{tunnel_id}/connectors/{connector_id}` Fetches connector and connection details for a WARP Connector Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. - `connector_id: string` UUID of the Cloudflare Tunnel connector. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id, arch, conns, 4 more }` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id: optional string` UUID of the Cloudflare Tunnel connector. - `arch: optional string` The cloudflared OS architecture used to establish this connection. - `conns: optional array of { id, client_id, client_version, 3 more }` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running WARP Connector. - `features: optional array of string` Features enabled for the Cloudflare Tunnel. - `ha_status: optional "offline" or "passive" or "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: optional string` Timestamp of when the tunnel connection was started. - `version: optional string` The cloudflared version used to establish this connection. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector/$TUNNEL_ID/connectors/$CONNECTOR_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "arch": "linux_amd64", "conns": [ { "id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925", "client_version": "2022.7.1", "colo_name": "DFW", "opened_at": "2021-01-25T18:22:34.317854Z", "origin_ip": "10.1.0.137" } ], "features": [ "ha-origin" ], "ha_status": "offline", "run_at": "2009-11-10T23:00:00Z", "version": "2022.7.1" }, "success": true } ``` ## Domain Types ### Connector Get Response - `ConnectorGetResponse { id, arch, conns, 4 more }` A WARP Connector client that maintains a connection to a Cloudflare data center. - `id: optional string` UUID of the Cloudflare Tunnel connector. - `arch: optional string` The cloudflared OS architecture used to establish this connection. - `conns: optional array of { id, client_id, client_version, 3 more }` The WARP Connector Tunnel connections between your origin and Cloudflare's edge. - `id: optional string` UUID of the Cloudflare Tunnel connection. - `client_id: optional string` UUID of the Cloudflare Tunnel connector. - `client_version: optional string` The cloudflared version used to establish this connection. - `colo_name: optional string` The Cloudflare data center used for this connection. - `opened_at: optional string` Timestamp of when the connection was established. - `origin_ip: optional string` The public IP address of the host running WARP Connector. - `features: optional array of string` Features enabled for the Cloudflare Tunnel. - `ha_status: optional "offline" or "passive" or "active"` The HA status of a WARP Connector client. - `"offline"` - `"passive"` - `"active"` - `run_at: optional string` Timestamp of when the tunnel connection was started. - `version: optional string` The cloudflared version used to establish this connection. # Failover ## Trigger a manual failover for a WARP Connector Tunnel **put** `/accounts/{account_id}/warp_connector/{tunnel_id}/failover` Triggers a manual failover for a specific WARP Connector Tunnel, setting the specified client as the active connector. The tunnel must be configured for high availability (HA) and the client must be linked to the tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID - `tunnel_id: string` UUID of the tunnel. ### Body Parameters - `client_id: string` UUID of the Cloudflare Tunnel connector. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: unknown` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/warp_connector/$TUNNEL_ID/failover \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "client_id": "1bedc50d-42b3-473c-b108-ff3d10c0d925" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": {}, "success": true } ``` ## Domain Types ### Failover Update Response - `FailoverUpdateResponse = unknown` # Connectivity Settings ## Get Zero Trust Connectivity Settings **get** `/accounts/{account_id}/zerotrust/connectivity_settings` Gets the Zero Trust Connectivity Settings for the given account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { icmp_proxy_enabled, offramp_warp_enabled }` - `icmp_proxy_enabled: optional boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: optional boolean` A flag to enable WARP to WARP traffic. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/connectivity_settings \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` ## Updates the Zero Trust Connectivity Settings **patch** `/accounts/{account_id}/zerotrust/connectivity_settings` Updates the Zero Trust Connectivity Settings for the given account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Body Parameters - `icmp_proxy_enabled: optional boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: optional boolean` A flag to enable WARP to WARP traffic. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { icmp_proxy_enabled, offramp_warp_enabled }` - `icmp_proxy_enabled: optional boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: optional boolean` A flag to enable WARP to WARP traffic. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/connectivity_settings \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "icmp_proxy_enabled": true, "offramp_warp_enabled": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "icmp_proxy_enabled": true, "offramp_warp_enabled": true }, "success": true } ``` ## Domain Types ### Connectivity Setting Get Response - `ConnectivitySettingGetResponse { icmp_proxy_enabled, offramp_warp_enabled }` - `icmp_proxy_enabled: optional boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: optional boolean` A flag to enable WARP to WARP traffic. ### Connectivity Setting Edit Response - `ConnectivitySettingEditResponse { icmp_proxy_enabled, offramp_warp_enabled }` - `icmp_proxy_enabled: optional boolean` A flag to enable the ICMP proxy for the account network. - `offramp_warp_enabled: optional boolean` A flag to enable WARP to WARP traffic. # DLP # Datasets ## Fetch all datasets **get** `/accounts/{account_id}/dlp/datasets` Lists all DLP datasets configured for the account, including custom word lists and EDM datasets. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional DatasetArray` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } ] } ``` ## Fetch a specific dataset **get** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Fetch a specific dataset ### Path Parameters - `account_id: string` - `dataset_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Dataset` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets/$DATASET_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Create a new dataset **post** `/accounts/{account_id}/dlp/datasets` Creates a new DLP (Data Loss Prevention) dataset for storing custom detection patterns. Datasets can contain exact match data, word lists, or EDM (Exact Data Match) configurations. ### Path Parameters - `account_id: string` ### Body Parameters - `name: string` - `case_sensitive: optional boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if `secret` is true or undefined - `description: optional string` The description of the dataset. - `encoding_version: optional number` Dataset encoding version Non-secret custom word lists with no header are always version 1. Secret EDM lists with no header are version 1. Multicolumn CSV with headers are version 2. Omitting this field provides the default value 0, which is interpreted the same as 1. - `secret: optional boolean` Generate a secret dataset. If true, the response will include a secret to use with the EDM encoder. If false, the response has no secret and the dataset is uploaded in plaintext. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional DatasetCreation` - `dataset: Dataset` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. - `encoding_version: number` Encoding version to use for dataset. - `max_cells: number` - `version: number` The version to use when uploading the dataset. - `secret: optional string` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "name" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "dataset": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" }, "encoding_version": 0, "max_cells": 0, "version": 0, "secret": "secret" } } ``` ## Update details about a dataset **put** `/accounts/{account_id}/dlp/datasets/{dataset_id}` Updates the configuration of an existing DLP dataset, such as its name, description, or detection settings. ### Path Parameters - `account_id: string` - `dataset_id: string` ### Body Parameters - `case_sensitive: optional boolean` Determines if the words should be matched in a case-sensitive manner. Only required for custom word lists. - `description: optional string` The description of the dataset. - `name: optional string` The name of the dataset, must be unique. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Dataset` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets/$DATASET_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Delete a dataset **delete** `/accounts/{account_id}/dlp/datasets/{dataset_id}` This deletes all versions of the dataset. ### Path Parameters - `account_id: string` - `dataset_id: string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets/$DATASET_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` ## Domain Types ### Dataset - `Dataset { id, columns, created_at, 9 more }` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. ### Dataset Array - `DatasetArray = array of Dataset` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. ### Dataset Creation - `DatasetCreation { dataset, encoding_version, max_cells, 2 more }` - `dataset: Dataset` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. - `encoding_version: number` Encoding version to use for dataset. - `max_cells: number` - `version: number` The version to use when uploading the dataset. - `secret: optional string` The secret to use for Exact Data Match datasets. This is not present in Custom Wordlists. # Upload ## Prepare to upload a new version of a dataset **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload` Creates a new version of a DLP dataset, allowing you to stage changes before activation. Used for single-column EDM and custom word lists. ### Path Parameters - `account_id: string` - `dataset_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional NewVersion` - `encoding_version: number` - `max_cells: number` - `version: number` - `case_sensitive: optional boolean` - `columns: optional array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `secret: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets/$DATASET_ID/upload \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "encoding_version": 0, "max_cells": 0, "version": 0, "case_sensitive": true, "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "secret": "secret" } } ``` ## Upload a new version of a dataset **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/upload/{version}` This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched. ### Path Parameters - `account_id: string` - `dataset_id: string` - `version: number` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Dataset` - `id: string` - `columns: array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `created_at: string` - `encoding_version: number` - `name: string` - `num_cells: number` - `secret: boolean` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `updated_at: string` Stores when the dataset was last updated. This includes name or description changes as well as uploads. - `uploads: array of { num_cells, status, version }` - `num_cells: number` - `status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `version: number` - `case_sensitive: optional boolean` - `description: optional string` The description of the dataset. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets/$DATASET_ID/upload/$VERSION \ -H 'Content-Type: application/octet-stream' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -F 'dataset=@/path/to/dataset' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "columns": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ], "created_at": "2019-12-27T18:11:19.117Z", "encoding_version": 0, "name": "name", "num_cells": 0, "secret": true, "status": "empty", "updated_at": "2019-12-27T18:11:19.117Z", "uploads": [ { "num_cells": 0, "status": "empty", "version": 0 } ], "case_sensitive": true, "description": "description" } } ``` ## Domain Types ### New Version - `NewVersion { encoding_version, max_cells, version, 3 more }` - `encoding_version: number` - `max_cells: number` - `version: number` - `case_sensitive: optional boolean` - `columns: optional array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `secret: optional string` # Versions ## Sets the column information for a multi-column upload **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request. ### Path Parameters - `account_id: string` - `dataset_id: string` - `version: number` ### Body Parameters - `body: array of { entry_id, header_name, num_cells } or { entry_name, header_name, num_cells }` - `ExistingColumn { entry_id, header_name, num_cells }` - `entry_id: string` - `header_name: optional string` - `num_cells: optional number` - `NewColumn { entry_name, header_name, num_cells }` - `entry_name: string` - `header_name: optional string` - `num_cells: optional number` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets/$DATASET_ID/versions/$VERSION \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '[ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0 } ]' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } ] } ``` ## Domain Types ### Version Create Response - `VersionCreateResponse { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Entries ## Upload a new version of a multi-column dataset **post** `/accounts/{account_id}/dlp/datasets/{dataset_id}/versions/{version}/entries/{entry_id}` This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. ### Path Parameters - `account_id: string` - `dataset_id: string` - `version: number` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/datasets/$DATASET_ID/versions/$VERSION/entries/$ENTRY_ID \ -H 'Content-Type: application/octet-stream' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -F 'dataset_version_entry=@/path/to/dataset_version_entry' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "header_name": "header_name", "num_cells": 0, "upload_status": "empty" } } ``` ## Domain Types ### Entry Create Response - `EntryCreateResponse { entry_id, header_name, num_cells, upload_status }` - `entry_id: string` - `header_name: string` - `num_cells: number` - `upload_status: "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Patterns ## Validate a DLP regex pattern **post** `/accounts/{account_id}/dlp/patterns/validate` Validates whether this pattern is a valid regular expression. Rejects it if the regular expression is too complex or can match an unbounded-length string. The regex will be rejected if it uses `*` or `+`. Bound the maximum number of characters that can be matched using a range, e.g. `{1,100}`. ### Path Parameters - `account_id: string` ### Body Parameters - `regex: string` - `max_match_bytes: optional number` Maximum number of bytes that the regular expression can match. If this is `null` then there is no limit on the length. Patterns can use `*` and `+`. Otherwise repeats should use a range `{m,n}` to restrict patterns to the length. If this field is missing, then a default length limit is used. Note that the length is specified in bytes. Since regular expressions use UTF-8 the pattern `.` can match up to 4 bytes. Hence `.{1,256}` has a maximum length of 1024 bytes. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { valid }` - `valid: boolean` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/patterns/validate \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "regex": "regex" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "valid": true } } ``` ## Domain Types ### Pattern Validate Response - `PatternValidateResponse { valid }` - `valid: boolean` # Payload Logs ## Get payload log settings **get** `/accounts/{account_id}/dlp/payload_log` Gets the current payload logging configuration for DLP, showing whether matched content is being logged. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { updated_at, masking_level, public_key }` - `updated_at: string` - `masking_level: optional "full" or "partial" or "clear" or "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: optional string` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/payload_log \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` ## Set payload log settings **put** `/accounts/{account_id}/dlp/payload_log` Enables or disables payload logging for DLP matches. When enabled, matched content is stored for review. ### Path Parameters - `account_id: string` ### Body Parameters - `masking_level: optional "full" or "partial" or "clear" or "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: optional string` Base64-encoded public key for encrypting payload logs. - Set to null or empty string to disable payload logging. - Set to a non-empty base64 string to enable payload logging with the given key. For customers with configurable payload masking feature rolled out: - If the field is missing, the existing setting will be kept. Note that this is different from setting to null or empty string. For all other customers: - If the field is missing, the existing setting will be cleared. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { updated_at, masking_level, public_key }` - `updated_at: string` - `masking_level: optional "full" or "partial" or "clear" or "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: optional string` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/payload_log \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "updated_at": "2019-12-27T18:11:19.117Z", "masking_level": "full", "public_key": "public_key" } } ``` ## Domain Types ### Payload Log Get Response - `PayloadLogGetResponse { updated_at, masking_level, public_key }` - `updated_at: string` - `masking_level: optional "full" or "partial" or "clear" or "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: optional string` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. ### Payload Log Update Response - `PayloadLogUpdateResponse { updated_at, masking_level, public_key }` - `updated_at: string` - `masking_level: optional "full" or "partial" or "clear" or "default"` Masking level for payload logs. - `full`: The entire payload is masked. - `partial`: Only partial payload content is masked. - `clear`: No masking is applied to the payload content. - `default`: DLP uses its default masking behavior. - `"full"` - `"partial"` - `"clear"` - `"default"` - `public_key: optional string` Base64-encoded public key for encrypting payload logs. Null when payload logging is disabled. # Email # Account Mapping ## Get mapping **get** `/accounts/{account_id}/dlp/email/account_mapping` Retrieves the email provider mapping configuration for DLP email scanning. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { addin_identifier_token, auth_requirements }` - `addin_identifier_token: string` - `auth_requirements: { allowed_microsoft_organizations, type } or { type }` - `{ allowed_microsoft_organizations, type }` - `allowed_microsoft_organizations: array of string` - `type: "Org"` - `"Org"` - `Type { type }` - `type: "NoAuth"` - `"NoAuth"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/account_mapping \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` ## Create mapping **post** `/accounts/{account_id}/dlp/email/account_mapping` Creates a mapping between a Cloudflare account and an email provider for DLP email scanning integration. ### Path Parameters - `account_id: string` ### Body Parameters - `auth_requirements: { allowed_microsoft_organizations, type } or { type }` - `{ allowed_microsoft_organizations, type }` - `allowed_microsoft_organizations: array of string` - `type: "Org"` - `"Org"` - `Type { type }` - `type: "NoAuth"` - `"NoAuth"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { addin_identifier_token, auth_requirements }` - `addin_identifier_token: string` - `auth_requirements: { allowed_microsoft_organizations, type } or { type }` - `{ allowed_microsoft_organizations, type }` - `allowed_microsoft_organizations: array of string` - `type: "Org"` - `"Org"` - `Type { type }` - `type: "NoAuth"` - `"NoAuth"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/account_mapping \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "addin_identifier_token": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "auth_requirements": { "allowed_microsoft_organizations": [ "string" ], "type": "Org" } } } ``` ## Domain Types ### Account Mapping Get Response - `AccountMappingGetResponse { addin_identifier_token, auth_requirements }` - `addin_identifier_token: string` - `auth_requirements: { allowed_microsoft_organizations, type } or { type }` - `{ allowed_microsoft_organizations, type }` - `allowed_microsoft_organizations: array of string` - `type: "Org"` - `"Org"` - `Type { type }` - `type: "NoAuth"` - `"NoAuth"` ### Account Mapping Create Response - `AccountMappingCreateResponse { addin_identifier_token, auth_requirements }` - `addin_identifier_token: string` - `auth_requirements: { allowed_microsoft_organizations, type } or { type }` - `{ allowed_microsoft_organizations, type }` - `allowed_microsoft_organizations: array of string` - `type: "Org"` - `"Org"` - `Type { type }` - `type: "NoAuth"` - `"NoAuth"` # Rules ## List all email scanner rules **get** `/accounts/{account_id}/dlp/email/rules` Lists all email scanner rules for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/rules \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } ] } ``` ## Get an email scanner rule **get** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Gets detailed configuration for a specific DLP email scanning rule, including detection patterns and actions. ### Path Parameters - `account_id: string` - `rule_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/rules/$RULE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Create email scanner rule **post** `/accounts/{account_id}/dlp/email/rules` Creates a new DLP email scanning rule that defines what content patterns to detect in email messages and what actions to take. ### Path Parameters - `account_id: string` ### Body Parameters - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `enabled: boolean` - `name: string` - `description: optional string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/rules \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "action": { "action": "Block" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "enabled": true, "name": "name" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule **put** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Update email scanner rule ### Path Parameters - `account_id: string` - `rule_id: string` ### Body Parameters - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `enabled: boolean` - `name: string` - `description: optional string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/rules/$RULE_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "action": { "action": "Block" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "enabled": true, "name": "name" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Delete email scanner rule **delete** `/accounts/{account_id}/dlp/email/rules/{rule_id}` Removes a DLP email scanning rule. The rule will no longer be applied to email messages. ### Path Parameters - `account_id: string` - `rule_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/rules/$RULE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Update email scanner rule priorities **patch** `/accounts/{account_id}/dlp/email/rules` Reorders DLP email scanning rules by updating their priority values. Higher priority rules are evaluated first. ### Path Parameters - `account_id: string` ### Body Parameters - `new_priorities: map[number]` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/email/rules \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "new_priorities": { "foo": 0 } }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": { "action": "Block", "message": "message" }, "conditions": [ { "operator": "InList", "selector": "Recipients", "value": [ "string" ] } ], "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "priority": 0, "rule_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description" } } ``` ## Domain Types ### Rule List Response - `RuleListResponse { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Rule Get Response - `RuleGetResponse { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Rule Create Response - `RuleCreateResponse { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Rule Update Response - `RuleUpdateResponse { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Rule Delete Response - `RuleDeleteResponse { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` ### Rule Bulk Edit Response - `RuleBulkEditResponse { action, conditions, created_at, 6 more }` - `action: { action, message }` - `action: "Block"` - `"Block"` - `message: optional string` - `conditions: array of { operator, selector, value }` Triggered if all conditions match. - `operator: "InList" or "NotInList" or "MatchRegex" or "NotMatchRegex"` - `"InList"` - `"NotInList"` - `"MatchRegex"` - `"NotMatchRegex"` - `selector: "Recipients" or "Sender" or "DLPProfiles"` - `"Recipients"` - `"Sender"` - `"DLPProfiles"` - `value: array of string or string` - `array of string` - `string` - `created_at: string` - `enabled: boolean` - `name: string` - `priority: number` - `rule_id: string` - `updated_at: string` - `description: optional string` # Profiles ## List all profiles **get** `/accounts/{account_id}/dlp/profiles` Lists all DLP profiles in an account. ### Path Parameters - `account_id: string` ### Query Parameters - `all: optional boolean` Return all profiles, including those that current account does not have access to. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of Profile` - `CustomProfile { id, allowed_match_count, created_at, 13 more }` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data classes associated with this profile. - `data_tags: optional array of string` Data tags associated with this profile. - `description: optional string` The description of the profile. - `entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels associated with this profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `PredefinedProfile { id, allowed_match_count, entries, 7 more }` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile { id, created_at, entries, 5 more }` - `id: string` - `created_at: string` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` - `shared_entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `type: "integration"` - `"integration"` - `updated_at: string` - `description: optional string` The description of the profile. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ { "group_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "level_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } ] } ``` ## Get DLP Profile **get** `/accounts/{account_id}/dlp/profiles/{profile_id}` Fetches a DLP profile by ID. ### Path Parameters - `account_id: string` - `profile_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Profile` - `CustomProfile { id, allowed_match_count, created_at, 13 more }` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data classes associated with this profile. - `data_tags: optional array of string` Data tags associated with this profile. - `description: optional string` The description of the profile. - `entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels associated with this profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `PredefinedProfile { id, allowed_match_count, entries, 7 more }` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile { id, created_at, entries, 5 more }` - `id: string` - `created_at: string` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` - `shared_entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `type: "integration"` - `"integration"` - `updated_at: string` - `description: optional string` The description of the profile. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/$PROFILE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ { "group_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "level_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Domain Types ### Context Awareness - `ContextAwareness { enabled, skip }` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. ### Profile - `Profile = { id, allowed_match_count, created_at, 13 more } or { id, allowed_match_count, entries, 7 more } or { id, created_at, entries, 5 more }` - `CustomProfile { id, allowed_match_count, created_at, 13 more }` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data classes associated with this profile. - `data_tags: optional array of string` Data tags associated with this profile. - `description: optional string` The description of the profile. - `entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels associated with this profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `PredefinedProfile { id, allowed_match_count, entries, 7 more }` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile { id, created_at, entries, 5 more }` - `id: string` - `created_at: string` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` - `shared_entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `type: "integration"` - `"integration"` - `updated_at: string` - `description: optional string` The description of the profile. ### Skip Configuration - `SkipConfiguration { files }` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. # Custom ## Get custom profile **get** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Fetches a custom DLP profile by id. ### Path Parameters - `account_id: string` - `profile_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Profile` - `CustomProfile { id, allowed_match_count, created_at, 13 more }` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data classes associated with this profile. - `data_tags: optional array of string` Data tags associated with this profile. - `description: optional string` The description of the profile. - `entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels associated with this profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `PredefinedProfile { id, allowed_match_count, entries, 7 more }` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile { id, created_at, entries, 5 more }` - `id: string` - `created_at: string` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` - `shared_entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `type: "integration"` - `"integration"` - `updated_at: string` - `description: optional string` The description of the profile. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/custom/$PROFILE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ { "group_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "level_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Create custom profile **post** `/accounts/{account_id}/dlp/profiles/custom` Creates a DLP custom profile. ### Path Parameters - `account_id: string` ### Body Parameters - `name: string` - `ai_context_enabled: optional boolean` - `allowed_match_count: optional number` Related DLP policies will trigger when the match count exceeds the number set. - `confidence_threshold: optional string` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data class IDs to associate with the profile. - `data_tags: optional array of string` Data tag IDs to associate with the profile. - `description: optional string` The description of the profile. - `entries: optional array of { enabled, name, pattern, description } or { enabled, name, words }` - `DLPNewCustomEntry { enabled, name, pattern, description }` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `description: optional string` - `DLPNewWordListEntry { enabled, name, words }` - `enabled: boolean` - `name: string` - `words: array of string` - `ocr_enabled: optional boolean` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels to associate with the profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { enabled, entry_id }` Entries from other profiles (e.g. pre-defined Cloudflare profiles, or your Microsoft Information Protection profiles). - `enabled: boolean` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Profile` - `CustomProfile { id, allowed_match_count, created_at, 13 more }` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data classes associated with this profile. - `data_tags: optional array of string` Data tags associated with this profile. - `description: optional string` The description of the profile. - `entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels associated with this profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `PredefinedProfile { id, allowed_match_count, entries, 7 more }` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile { id, created_at, entries, 5 more }` - `id: string` - `created_at: string` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` - `shared_entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `type: "integration"` - `"integration"` - `updated_at: string` - `description: optional string` The description of the profile. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/custom \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "name", "allowed_match_count": 5 }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ { "group_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "level_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Update custom profile **put** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Updates a DLP custom profile. ### Path Parameters - `account_id: string` - `profile_id: string` ### Body Parameters - `name: string` - `ai_context_enabled: optional boolean` - `allowed_match_count: optional number` - `confidence_threshold: optional string` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data class IDs to associate with the profile. If omitted, existing associations are unchanged. - `data_tags: optional array of string` Data tag IDs to associate with the profile. If omitted, existing associations are unchanged. - `description: optional string` The description of the profile. - `entries: optional array of { enabled, entry_id, name, 2 more } or { enabled, name, pattern, description }` Custom entries from this profile. If this field is omitted, entries owned by this profile will not be changed. - `DLPNewCustomEntryWithID { enabled, entry_id, name, 2 more }` - `enabled: boolean` - `entry_id: string` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `description: optional string` - `DLPNewCustomEntry { enabled, name, pattern, description }` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `description: optional string` - `ocr_enabled: optional boolean` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels to associate with the profile. If omitted, existing associations are unchanged. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { enabled, entry_id }` Other entries, e.g. predefined or integration. - `enabled: boolean` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional Profile` - `CustomProfile { id, allowed_match_count, created_at, 13 more }` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `type: "custom"` - `"custom"` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data classes associated with this profile. - `data_tags: optional array of string` Data tags associated with this profile. - `description: optional string` The description of the profile. - `entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels associated with this profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `PredefinedProfile { id, allowed_match_count, entries, 7 more }` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `type: "predefined"` - `"predefined"` - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. - `IntegrationProfile { id, created_at, entries, 5 more }` - `id: string` - `created_at: string` - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` - `shared_entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `type: "integration"` - `"integration"` - `updated_at: string` - `description: optional string` The description of the profile. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/custom/$PROFILE_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "name" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 5, "created_at": "2019-12-27T18:11:19.117Z", "name": "name", "ocr_enabled": true, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "ai_context_enabled": true, "confidence_threshold": "low", "context_awareness": { "enabled": true, "skip": { "files": true } }, "data_classes": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "data_tags": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "description": "description", "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "sensitivity_levels": [ { "group_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "level_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "shared_entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] } } ``` ## Delete custom profile **delete** `/accounts/{account_id}/dlp/profiles/custom/{profile_id}` Deletes a DLP custom profile. ### Path Parameters - `account_id: string` - `profile_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/custom/$PROFILE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Custom Profile - `CustomProfile { id, allowed_match_count, created_at, 12 more }` - `id: string` The id of the profile (uuid). - `allowed_match_count: number` Related DLP policies will trigger when the match count exceeds the number set. - `created_at: string` When the profile was created. - `name: string` The name of the profile. - `ocr_enabled: boolean` - `updated_at: string` When the profile was lasted updated. - `ai_context_enabled: optional boolean` - `confidence_threshold: optional "low" or "medium" or "high" or "very_high"` - `"low"` - `"medium"` - `"high"` - `"very_high"` - `context_awareness: optional ContextAwareness` Scan the context of predefined entries to only return matches surrounded by keywords. - `enabled: boolean` If true, scan the context of predefined entries to only return matches surrounded by keywords. - `skip: SkipConfiguration` Content types to exclude from context analysis and return all matches. - `files: boolean` If the content type is a file, skip context analysis and return all matches. - `data_classes: optional array of string` Data classes associated with this profile. - `data_tags: optional array of string` Data tags associated with this profile. - `description: optional string` The description of the profile. - `entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `sensitivity_levels: optional array of { group_id, level_id }` Sensitivity levels associated with this profile. - `group_id: string` - `level_id: string` - `shared_entries: optional array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` ### Pattern - `Pattern { regex, validation }` - `regex: string` - `validation: optional "luhn"` - `"luhn"` ### Custom Delete Response - `CustomDeleteResponse = unknown` # Predefined ## Get predefined profile config **get** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `get_predefined` but only returns entries that are enabled. This is needed for our terraform API Fetches a predefined DLP profile by id. ### Path Parameters - `account_id: string` - `profile_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `confidence_threshold: string` - `enabled_entries: array of string` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` This field has been deprecated for `enabled_entries`. - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `ai_context_enabled: optional boolean` - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/predefined/$PROFILE_ID/config \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Update predefined profile config **put** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}/config` This is similar to `update_predefined` but only returns entries that are enabled. This is needed for our terraform API Updates a DLP predefined profile. Only supports enabling/disabling entries. ### Path Parameters - `account_id: string` - `profile_id: string` ### Body Parameters - `ai_context_enabled: optional boolean` - `allowed_match_count: optional number` - `confidence_threshold: optional string` - `enabled_entries: optional array of string` - `entries: optional array of { id, enabled }` - `id: string` - `enabled: boolean` - `ocr_enabled: optional boolean` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional PredefinedProfile` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `confidence_threshold: string` - `enabled_entries: array of string` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` This field has been deprecated for `enabled_entries`. - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `ai_context_enabled: optional boolean` - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/predefined/$PROFILE_ID/config \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "allowed_match_count": 5 }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "allowed_match_count": 0, "confidence_threshold": "confidence_threshold", "enabled_entries": [ "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" ], "entries": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ], "name": "name", "ai_context_enabled": true, "ocr_enabled": true, "open_access": true } } ``` ## Delete predefined profile **delete** `/accounts/{account_id}/dlp/profiles/predefined/{profile_id}` This is a no-op as predefined profiles can't be deleted but is needed for our generated terraform API. ### Path Parameters - `account_id: string` - `profile_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/profiles/predefined/$PROFILE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Predefined Profile - `PredefinedProfile { id, allowed_match_count, confidence_threshold, 6 more }` - `id: string` The id of the predefined profile (uuid). - `allowed_match_count: number` - `confidence_threshold: string` - `enabled_entries: array of string` Entries to enable for this predefined profile. Any entries not provided will be disabled. - `entries: array of { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` This field has been deprecated for `enabled_entries`. - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `name: string` The name of the predefined profile. - `ai_context_enabled: optional boolean` - `ocr_enabled: optional boolean` - `open_access: optional boolean` Whether this profile can be accessed by anyone. ### Predefined Delete Response - `PredefinedDeleteResponse = unknown` # Limits ## Fetch limits associated with DLP for account **get** `/accounts/{account_id}/dlp/limits` Retrieves current DLP usage limits and quotas for the account, including dataset limits and scan quotas. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { max_dataset_cells }` - `max_dataset_cells: number` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/limits \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "max_dataset_cells": 0 } } ``` ## Domain Types ### Limit List Response - `LimitListResponse { max_dataset_cells }` - `max_dataset_cells: number` # Entries ## List all entries **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Get DLP Entry **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/$ENTRY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## Create custom entry **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Path Parameters - `account_id: string` ### Body Parameters - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `description: optional string` - `profile_id: optional string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true, "name": "name", "pattern": { "regex": "regex" } }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update entry **put** `/accounts/{account_id}/dlp/entries/{entry_id}` Updates a DLP entry. ### Path Parameters - `account_id: string` - `entry_id: string` ### Body Parameters - `body: { name, pattern, type, 2 more } or { type, enabled } or { type, enabled }` - `Custom { name, pattern, type, 2 more }` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `description: optional string` - `enabled: optional boolean` - `Predefined { type, enabled }` - `type: "predefined"` - `"predefined"` - `enabled: optional boolean` - `Integration { type, enabled }` - `type: "integration"` - `"integration"` - `enabled: optional boolean` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/$ENTRY_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "name", "pattern": { "regex": "regex" }, "type": "custom" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/$ENTRY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Entry List Response - `EntryListResponse = { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Entry Get Response - `EntryGetResponse = { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Entry Create Response - `EntryCreateResponse { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` ### Entry Update Response - `EntryUpdateResponse = { id, created_at, enabled, 6 more } or { id, confidence, enabled, 4 more } or { id, created_at, enabled, 4 more } or 3 more` - `CustomEntry { id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `PredefinedEntry { id, confidence, enabled, 4 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `IntegrationEntry { id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `ExactDataEntry { id, case_sensitive, created_at, 5 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `DocumentFingerprintEntry { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `WordListEntry { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` ### Entry Delete Response - `EntryDeleteResponse = unknown` # Custom ## Create custom entry **post** `/accounts/{account_id}/dlp/entries` Creates a DLP custom entry. ### Path Parameters - `account_id: string` ### Body Parameters - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `description: optional string` - `profile_id: optional string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true, "name": "name", "pattern": { "regex": "regex" } }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update custom entry **put** `/accounts/{account_id}/dlp/entries/custom/{entry_id}` Updates a DLP custom entry. ### Path Parameters - `account_id: string` - `entry_id: string` ### Body Parameters - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `description: optional string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/custom/$ENTRY_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true, "name": "name", "pattern": { "regex": "regex" } }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete custom entry **delete** `/accounts/{account_id}/dlp/entries/{entry_id}` Deletes a DLP custom entry. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/$ENTRY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/$ENTRY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Custom Create Response - `CustomCreateResponse { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` ### Custom Update Response - `CustomUpdateResponse { id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` ### Custom Delete Response - `CustomDeleteResponse = unknown` ### Custom Get Response - `CustomGetResponse = { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Custom List Response - `CustomListResponse = { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Predefined ## Create predefined entry **post** `/accounts/{account_id}/dlp/entries/predefined` Predefined entries can't be created, this will update an existing predefined entry. This is needed for our generated terraform API. ### Path Parameters - `account_id: string` ### Body Parameters - `enabled: boolean` - `entry_id: string` - `profile_id: optional string` This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, confidence, enabled, 3 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/predefined \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true, "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Update predefined entry **put** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` Updates a DLP entry. ### Path Parameters - `account_id: string` - `entry_id: string` ### Body Parameters - `enabled: boolean` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, confidence, enabled, 3 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/predefined/$ENTRY_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "confidence": { "ai_context_available": true, "available": true }, "enabled": true, "name": "name", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "variant": { "topic_type": "Intent", "type": "PromptTopic", "description": "description" } } } ``` ## Delete predefined entry **delete** `/accounts/{account_id}/dlp/entries/predefined/{entry_id}` This is a no-op as predefined entires can't be deleted but is needed for our generated terraform API. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/predefined/$ENTRY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/$ENTRY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Predefined Create Response - `PredefinedCreateResponse { id, confidence, enabled, 3 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` ### Predefined Update Response - `PredefinedUpdateResponse { id, confidence, enabled, 3 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `profile_id: optional string` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` ### Predefined Delete Response - `PredefinedDeleteResponse = unknown` ### Predefined Get Response - `PredefinedGetResponse = { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Predefined List Response - `PredefinedListResponse = { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Integration ## Create integration entry **post** `/accounts/{account_id}/dlp/entries/integration` Integration entries can't be created, this will update an existing integration entry. This is needed for our generated terraform API. ### Path Parameters - `account_id: string` ### Body Parameters - `enabled: boolean` - `entry_id: string` - `profile_id: optional string` This field is not used as the owning profile. For predefined entries it is already set to a predefined profile. ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/integration \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true, "entry_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Update integration entry **put** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` Updates a DLP entry. ### Path Parameters - `account_id: string` - `entry_id: string` ### Body Parameters - `enabled: boolean` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/integration/$ENTRY_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "enabled": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "updated_at": "2019-12-27T18:11:19.117Z", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } } ``` ## Delete integration entry **delete** `/accounts/{account_id}/dlp/entries/integration/{entry_id}` This is a no-op as integration entires can't be deleted but is needed for our generated terraform API. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/integration/$ENTRY_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Get DLP Entry **get** `/accounts/{account_id}/dlp/entries/{entry_id}` Fetches a DLP entry by ID. ### Path Parameters - `account_id: string` - `entry_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries/$ENTRY_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "profiles": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "name": "name" } ], "upload_status": "empty" } } ``` ## List all entries **get** `/accounts/{account_id}/dlp/entries` Lists all DLP entries in an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/dlp/entries \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "created_at": "2019-12-27T18:11:19.117Z", "enabled": true, "name": "name", "pattern": { "regex": "regex", "validation": "luhn" }, "type": "custom", "updated_at": "2019-12-27T18:11:19.117Z", "description": "description", "profile_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "upload_status": "empty" } ] } ``` ## Domain Types ### Integration Create Response - `IntegrationCreateResponse { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id: optional string` ### Integration Update Response - `IntegrationUpdateResponse { id, created_at, enabled, 3 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `updated_at: string` - `profile_id: optional string` ### Integration Delete Response - `IntegrationDeleteResponse = unknown` ### Integration Get Response - `IntegrationGetResponse = { id, created_at, enabled, 8 more } or { id, confidence, enabled, 6 more } or { id, created_at, enabled, 6 more } or 3 more` - `{ id, created_at, enabled, 8 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 6 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 7 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `profiles: optional array of { id, name }` - `id: string` - `name: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` ### Integration List Response - `IntegrationListResponse = { id, created_at, enabled, 7 more } or { id, confidence, enabled, 5 more } or { id, created_at, enabled, 5 more } or 3 more` - `{ id, created_at, enabled, 7 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `pattern: Pattern` - `regex: string` - `validation: optional "luhn"` - `"luhn"` - `type: "custom"` - `"custom"` - `updated_at: string` - `description: optional string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, confidence, enabled, 5 more }` - `id: string` - `confidence: { ai_context_available, available }` - `ai_context_available: boolean` Indicates whether this entry has AI remote service validation. - `available: boolean` Indicates whether this entry has any form of validation that is not an AI remote service. - `enabled: boolean` - `name: string` - `type: "predefined"` - `"predefined"` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `variant: optional { topic_type, type, description }` - `topic_type: "Intent" or "Content"` - `"Intent"` - `"Content"` - `type: "PromptTopic"` - `"PromptTopic"` - `description: optional string` - `{ id, created_at, enabled, 5 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "integration"` - `"integration"` - `updated_at: string` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, case_sensitive, created_at, 6 more }` - `id: string` - `case_sensitive: boolean` Only applies to custom word lists. Determines if the words should be matched in a case-sensitive manner Cannot be set to false if secret is true - `created_at: string` - `enabled: boolean` - `name: string` - `secret: boolean` - `type: "exact_data"` - `"exact_data"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 4 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "document_fingerprint"` - `"document_fingerprint"` - `updated_at: string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` - `{ id, created_at, enabled, 6 more }` - `id: string` - `created_at: string` - `enabled: boolean` - `name: string` - `type: "word_list"` - `"word_list"` - `updated_at: string` - `word_list: unknown` - `profile_id: optional string` - `upload_status: optional "empty" or "uploading" or "pending" or 3 more` - `"empty"` - `"uploading"` - `"pending"` - `"processing"` - `"failed"` - `"complete"` # Gateway ## Get Zero Trust account information **get** `/accounts/{account_id}/gateway` Retrieve information about the current Zero Trust account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, gateway_tag, provider_name }` - `id: optional string` Specify the Cloudflare account ID. - `gateway_tag: optional string` Specify the gateway internal ID. - `provider_name: optional string` Specify the provider name (usually Cloudflare). ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Create Zero Trust account **post** `/accounts/{account_id}/gateway` Create a Zero Trust account for an existing Cloudflare account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, gateway_tag, provider_name }` - `id: optional string` Specify the Cloudflare account ID. - `gateway_tag: optional string` Specify the gateway internal ID. - `provider_name: optional string` Specify the provider name (usually Cloudflare). ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "699d98642c564d2e855e9661899b7252", "gateway_tag": "f174e90afafe4643bbbc4a0ed4fc8415", "provider_name": "Cloudflare" } } ``` ## Domain Types ### Gateway List Response - `GatewayListResponse { id, gateway_tag, provider_name }` - `id: optional string` Specify the Cloudflare account ID. - `gateway_tag: optional string` Specify the gateway internal ID. - `provider_name: optional string` Specify the provider name (usually Cloudflare). ### Gateway Create Response - `GatewayCreateResponse { id, gateway_tag, provider_name }` - `id: optional string` Specify the Cloudflare account ID. - `gateway_tag: optional string` Specify the gateway internal ID. - `provider_name: optional string` Specify the provider name (usually Cloudflare). # Audit SSH Settings ## Get Zero Trust SSH settings **get** `/accounts/{account_id}/gateway/audit_ssh_settings` Retrieve all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewaySettings` - `created_at: optional string` - `public_key: optional string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: optional string` Identify the seed ID. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/audit_ssh_settings \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust SSH settings **put** `/accounts/{account_id}/gateway/audit_ssh_settings` Update Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account. ### Path Parameters - `account_id: string` ### Body Parameters - `public_key: string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewaySettings` - `created_at: optional string` - `public_key: optional string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: optional string` Identify the seed ID. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/audit_ssh_settings \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Rotate Zero Trust SSH account seed **post** `/accounts/{account_id}/gateway/audit_ssh_settings/rotate_seed` Rotate the SSH account seed that generates the host key identity when connecting through the Cloudflare SSH Proxy. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewaySettings` - `created_at: optional string` - `public_key: optional string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: optional string` Identify the seed ID. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/audit_ssh_settings/rotate_seed \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "public_key": "1pyl6I1tL7xfJuFYVzXlUW8uXXlpxegHXBzGCBKaSFA=", "seed_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Gateway Settings - `GatewaySettings { created_at, public_key, seed_id, updated_at }` - `created_at: optional string` - `public_key: optional string` Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging. - `seed_id: optional string` Identify the seed ID. - `updated_at: optional string` # Categories ## List categories **get** `/accounts/{account_id}/gateway/categories` List all categories. ### Path Parameters - `account_id: string` Provide the identifier string. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of Category` - `id: optional number` Identify this category. Only one category per ID. - `beta: optional boolean` Indicate whether the category is in beta and subject to change. - `class: optional "free" or "premium" or "blocked" or 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: optional string` Provide a short summary of domains in the category. - `name: optional string` Specify the category name. - `subcategories: optional array of { id, beta, class, 2 more }` Provide all subcategories for this category. - `id: optional number` Identify this category. Only one category per ID. - `beta: optional boolean` Indicate whether the category is in beta and subject to change. - `class: optional "free" or "premium" or "blocked" or 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: optional string` Provide a short summary of domains in the category. - `name: optional string` Specify the category name. - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/categories \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education", "subcategories": [ { "id": 0, "beta": false, "class": "premium", "description": "Sites related to educational content that are not included in other categories such as Science, Technology or Educational institutions.", "name": "Education" } ] } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Category - `Category { id, beta, class, 3 more }` - `id: optional number` Identify this category. Only one category per ID. - `beta: optional boolean` Indicate whether the category is in beta and subject to change. - `class: optional "free" or "premium" or "blocked" or 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: optional string` Provide a short summary of domains in the category. - `name: optional string` Specify the category name. - `subcategories: optional array of { id, beta, class, 2 more }` Provide all subcategories for this category. - `id: optional number` Identify this category. Only one category per ID. - `beta: optional boolean` Indicate whether the category is in beta and subject to change. - `class: optional "free" or "premium" or "blocked" or 2 more` Specify which account types can create policies for this category. `blocked` Blocks unconditionally for all accounts. `removalPending` Allows removal from policies but disables addition. `noBlock` Prevents blocking. - `"free"` - `"premium"` - `"blocked"` - `"removalPending"` - `"noBlock"` - `description: optional string` Provide a short summary of domains in the category. - `name: optional string` Specify the category name. # App Types ## List application and application type mappings **get** `/accounts/{account_id}/gateway/app_types` List all application and application type mappings. ### Path Parameters - `account_id: string` Provide the identifier string. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of AppType` - `ZeroTrustGatewayApplication { id, application_type_id, created_at, name }` - `id: optional number` Identify this application. Only one application per ID. - `application_type_id: optional number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: optional string` - `name: optional string` Specify the name of the application or application type. - `ZeroTrustGatewayApplicationType { id, created_at, description, name }` - `id: optional number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: optional string` - `description: optional string` Provide a short summary of applications with this type. - `name: optional string` Specify the name of the application or application type. - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/app_types \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": 0, "application_type_id": 0, "created_at": "2014-01-01T05:20:00.12345Z", "name": "Facebook" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### App Type - `AppType = { id, application_type_id, created_at, name } or { id, created_at, description, name }` - `ZeroTrustGatewayApplication { id, application_type_id, created_at, name }` - `id: optional number` Identify this application. Only one application per ID. - `application_type_id: optional number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: optional string` - `name: optional string` Specify the name of the application or application type. - `ZeroTrustGatewayApplicationType { id, created_at, description, name }` - `id: optional number` Identify the type of this application. Multiple applications can share the same type. Refers to the `id` of a returned application type. - `created_at: optional string` - `description: optional string` Provide a short summary of applications with this type. - `name: optional string` Specify the name of the application or application type. # Configurations ## Get Zero Trust account configuration **get** `/accounts/{account_id}/gateway/configuration` Retrieve the current Zero Trust account configuration. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { created_at, settings, updated_at }` Specify account settings. - `created_at: optional string` - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust account configuration **put** `/accounts/{account_id}/gateway/configuration` Update the current Zero Trust account configuration. ### Path Parameters - `account_id: string` ### Body Parameters - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { created_at, settings, updated_at }` Specify account settings. - `created_at: optional string` - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust account configuration **patch** `/accounts/{account_id}/gateway/configuration` Update (PATCH) a single subcollection of settings such as `antivirus`, `tls_decrypt`, `activity_log`, `block_page`, `browser_isolation`, `fips`, `body_scanning`, or `certificate` without updating the entire configuration object. This endpoint returns an error if any settings collection lacks proper configuration. ### Path Parameters - `account_id: string` ### Body Parameters - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { created_at, settings, updated_at }` Specify account settings. - `created_at: optional string` - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "created_at": "2014-01-01T05:20:00.12345Z", "settings": { "activity_log": { "enabled": true }, "antivirus": { "enabled_download_phase": false, "enabled_upload_phase": false, "fail_closed": false, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" } }, "block_page": { "background_color": "background_color", "enabled": true, "footer_text": "--footer--", "header_text": "--header--", "include_context": true, "logo_path": "https://logos.com/a.png", "mailto_address": "admin@example.com", "mailto_subject": "Blocked User Inquiry", "mode": "", "name": "Cloudflare", "read_only": true, "source_account": "source_account", "suppress_footer": false, "target_uri": "https://example.com", "version": 1 }, "body_scanning": { "inspection_mode": "deep" }, "browser_isolation": { "non_identity_enabled": true, "url_browser_isolation_enabled": true }, "certificate": { "id": "d1b364c5-1311-466e-a194-f0e943e0799f" }, "custom_certificate": { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" }, "extended_email_matching": { "enabled": true, "read_only": true, "source_account": "source_account", "version": 1 }, "fips": { "tls": true }, "host_selector": { "enabled": false }, "inspection": { "mode": "static" }, "protocol_detection": { "enabled": true }, "sandbox": { "enabled": true, "fallback_action": "allow" }, "tls_decrypt": { "enabled": true } }, "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Activity Log Settings - `ActivityLogSettings { enabled }` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. ### Anti Virus Settings - `AntiVirusSettings { enabled_download_phase, enabled_upload_phase, fail_closed, notification_settings }` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Block Page Settings - `BlockPageSettings { background_color, enabled, footer_text, 12 more }` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. ### Body Scanning Settings - `BodyScanningSettings { inspection_mode }` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` ### Browser Isolation Settings - `BrowserIsolationSettings { non_identity_enabled, url_browser_isolation_enabled }` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. ### Custom Certificate Settings - `CustomCertificateSettings { enabled, id, binding_status, updated_at }` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` ### Extended Email Matching - `ExtendedEmailMatching { enabled, read_only, source_account, version }` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. ### Fips Settings - `FipsSettings { tls }` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. ### Gateway Configuration Settings - `GatewayConfigurationSettings { activity_log, antivirus, block_page, 11 more }` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. ### Notification Settings - `NotificationSettings { enabled, include_context, msg, support_url }` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. ### Protocol Detection - `ProtocolDetection { enabled }` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. ### TLS Settings - `TLSSettings { enabled }` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. ### Configuration Get Response - `ConfigurationGetResponse { created_at, settings, updated_at }` Specify account settings. - `created_at: optional string` - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at: optional string` ### Configuration Update Response - `ConfigurationUpdateResponse { created_at, settings, updated_at }` Specify account settings. - `created_at: optional string` - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at: optional string` ### Configuration Edit Response - `ConfigurationEditResponse { created_at, settings, updated_at }` Specify account settings. - `created_at: optional string` - `settings: optional GatewayConfigurationSettings` Specify account settings. - `activity_log: optional ActivityLogSettings` Specify activity log settings. - `enabled: optional boolean` Specify whether to log activity. - `antivirus: optional AntiVirusSettings` Specify anti-virus settings. - `enabled_download_phase: optional boolean` Specify whether to enable anti-virus scanning on downloads. - `enabled_upload_phase: optional boolean` Specify whether to enable anti-virus scanning on uploads. - `fail_closed: optional boolean` Specify whether to block requests for unscannable files. - `notification_settings: optional NotificationSettings` Configure the message the user's device shows during an antivirus scan. - `enabled: optional boolean` Specify whether to enable notifications. - `include_context: optional boolean` Specify whether to include context information as query parameters. - `msg: optional string` Specify the message to show in the notification. - `support_url: optional string` Specify a URL that directs users to more information. If unset, the notification opens a block page. - `block_page: optional BlockPageSettings` Specify block page layout settings. - `background_color: optional string` Specify the block page background color in `#rrggbb` format when the mode is customized_block_page. - `enabled: optional boolean` Specify whether to enable the custom block page. - `footer_text: optional string` Specify the block page footer text when the mode is customized_block_page. - `header_text: optional string` Specify the block page header text when the mode is customized_block_page. - `include_context: optional boolean` Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri. - `logo_path: optional string` Specify the full URL to the logo file when the mode is customized_block_page. - `mailto_address: optional string` Specify the admin email for users to contact when the mode is customized_block_page. - `mailto_subject: optional string` Specify the subject line for emails created from the block page when the mode is customized_block_page. - `mode: optional "" or "customized_block_page" or "redirect_uri"` Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI. - `""` - `"customized_block_page"` - `"redirect_uri"` - `name: optional string` Specify the block page title when the mode is customized_block_page. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `suppress_footer: optional boolean` Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page. - `target_uri: optional string` Specify the URI to redirect users to when the mode is redirect_uri. - `version: optional number` Indicate the version number of the setting. - `body_scanning: optional BodyScanningSettings` Specify the DLP inspection mode. - `inspection_mode: optional "deep" or "shallow"` Specify the inspection mode as either `deep` or `shallow`. - `"deep"` - `"shallow"` - `browser_isolation: optional BrowserIsolationSettings` Specify Clientless Browser Isolation settings. - `non_identity_enabled: optional boolean` Specify whether to enable non-identity onramp support for Browser Isolation. - `url_browser_isolation_enabled: optional boolean` Specify whether to enable Clientless Browser Isolation. - `certificate: optional { id }` Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception. - `id: string` Specify the UUID of the certificate used for interception. Ensure the certificate is available at the edge(previously called 'active'). A nil UUID directs Cloudflare to use the Root CA. - `custom_certificate: optional CustomCertificateSettings` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` - `extended_email_matching: optional ExtendedEmailMatching` Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses `.` or `+` modifiers. - `enabled: optional boolean` Specify whether to match all variants of user emails (with + or . modifiers) used as criteria in Firewall policies. - `read_only: optional boolean` Indicate that this setting was shared via the Orgs API and read only for the current account. - `source_account: optional string` Indicate the account tag of the account that shared this setting. - `version: optional number` Indicate the version number of the setting. - `fips: optional FipsSettings` Specify FIPS settings. - `tls: optional boolean` Enforce cipher suites and TLS versions compliant with FIPS 140-2. - `host_selector: optional { enabled }` Enable host selection in egress policies. - `enabled: optional boolean` Specify whether to enable filtering via hosts for egress policies. - `inspection: optional { mode }` Define the proxy inspection mode. - `mode: optional "static" or "dynamic"` Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic. - `"static"` - `"dynamic"` - `protocol_detection: optional ProtocolDetection` Specify whether to detect protocols from the initial bytes of client traffic. - `enabled: optional boolean` Specify whether to detect protocols from the initial bytes of client traffic. - `sandbox: optional { enabled, fallback_action }` Specify whether to enable the sandbox. - `enabled: optional boolean` Specify whether to enable the sandbox. - `fallback_action: optional "allow" or "block"` Specify the action to take when the system cannot scan the file. - `"allow"` - `"block"` - `tls_decrypt: optional TLSSettings` Specify whether to inspect encrypted HTTP traffic. - `enabled: optional boolean` Specify whether to inspect encrypted HTTP traffic. - `updated_at: optional string` # Custom Certificate ## Get Zero Trust certificate configuration **get** `/accounts/{account_id}/gateway/configuration/custom_certificate` Retrieve the current Zero Trust certificate configuration. ### Path Parameters - `account_id: string` ### Returns - `CustomCertificateSettings { enabled, id, binding_status, updated_at }` Specify custom certificate settings for BYO-PKI. This field is deprecated; use `certificate` instead. - `enabled: boolean` Specify whether to enable a custom certificate authority for signing Gateway traffic. - `id: optional string` Specify the UUID of the certificate (ID from MTLS certificate store). - `binding_status: optional string` Indicate the internal certificate status. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/configuration/custom_certificate \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "enabled": true, "id": "d1b364c5-1311-466e-a194-f0e943e0799f", "binding_status": "pending_deployment", "updated_at": "2019-12-27T18:11:19.117Z" } ``` # Lists ## List Zero Trust lists **get** `/accounts/{account_id}/gateway/lists` Fetch all Zero Trust lists for an account. ### Path Parameters - `account_id: string` ### Query Parameters - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of GatewayList` - `id: optional string` Identify the API resource with a UUID. - `count: optional number` Indicate the number of items in the list. - `created_at: optional string` - `description: optional string` Provide the list description. - `items: optional array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `name: optional string` Specify the list name. - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: optional string` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust list details **get** `/accounts/{account_id}/gateway/lists/{list_id}` Fetch a single Zero Trust list. ### Path Parameters - `account_id: string` - `list_id: string` Identify the API resource with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewayList` - `id: optional string` Identify the API resource with a UUID. - `count: optional number` Indicate the number of items in the list. - `created_at: optional string` - `description: optional string` Provide the list description. - `items: optional array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `name: optional string` Specify the list name. - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists/$LIST_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust list **post** `/accounts/{account_id}/gateway/lists` Creates a new Zero Trust list. ### Path Parameters - `account_id: string` ### Body Parameters - `name: string` Specify the list name. - `type: "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `description: optional string` Provide the list description. - `items: optional array of { description, value }` Add items to the list. - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, created_at, description, 4 more }` - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `description: optional string` Provide the list description. - `items: optional array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `name: optional string` Specify the list name. - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Admin Serial Numbers", "type": "SERIAL", "description": "The serial numbers for administrators" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update Zero Trust list **put** `/accounts/{account_id}/gateway/lists/{list_id}` Updates a configured Zero Trust list. Skips updating list items if not included in the payload. A non empty list items will overwrite the existing list. ### Path Parameters - `account_id: string` - `list_id: string` Identify the API resource with a UUID. ### Body Parameters - `name: string` Specify the list name. - `description: optional string` Provide the list description. - `items: optional array of { description, value }` Add items to the list. - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewayList` - `id: optional string` Identify the API resource with a UUID. - `count: optional number` Indicate the number of items in the list. - `created_at: optional string` - `description: optional string` Provide the list description. - `items: optional array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `name: optional string` Specify the list name. - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists/$LIST_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Admin Serial Numbers", "description": "The serial numbers for administrators" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Patch Zero Trust list. **patch** `/accounts/{account_id}/gateway/lists/{list_id}` Appends or removes an item from a configured Zero Trust list. ### Path Parameters - `account_id: string` - `list_id: string` Identify the API resource with a UUID. ### Body Parameters - `append: optional array of { description, value }` Add items to the list. - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `remove: optional array of string` Lists of item values you want to remove. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewayList` - `id: optional string` Identify the API resource with a UUID. - `count: optional number` Indicate the number of items in the list. - `created_at: optional string` - `description: optional string` Provide the list description. - `items: optional array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `name: optional string` Specify the list name. - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists/$LIST_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "count": 20, "created_at": "2014-01-01T05:20:00.12345Z", "description": "The serial numbers for administrators", "items": [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ], "name": "Admin Serial Numbers", "type": "SERIAL", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust list **delete** `/accounts/{account_id}/gateway/lists/{list_id}` Deletes a Zero Trust list. ### Path Parameters - `account_id: string` - `list_id: string` Identify the API resource with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists/$LIST_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway Item - `GatewayItem { created_at, description, value }` - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. ### Gateway List - `GatewayList { id, count, created_at, 5 more }` - `id: optional string` Identify the API resource with a UUID. - `count: optional number` Indicate the number of items in the list. - `created_at: optional string` - `description: optional string` Provide the list description. - `items: optional array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `name: optional string` Specify the list name. - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: optional string` ### List Create Response - `ListCreateResponse { id, created_at, description, 4 more }` - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `description: optional string` Provide the list description. - `items: optional array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `name: optional string` Specify the list name. - `type: optional "SERIAL" or "URL" or "DOMAIN" or 5 more` Specify the list type. - `"SERIAL"` - `"URL"` - `"DOMAIN"` - `"EMAIL"` - `"IP"` - `"CATEGORY"` - `"LOCATION"` - `"DEVICE"` - `updated_at: optional string` ### List Delete Response - `ListDeleteResponse = unknown` # Items ## Get Zero Trust list items **get** `/accounts/{account_id}/gateway/lists/{list_id}/items` Fetch all items in a single Zero Trust list. ### Path Parameters - `account_id: string` - `list_id: string` Identify the API resource with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of array of GatewayItem` - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Shows the total results returned based on your search parameters. - `page: optional number` Show the current page within paginated list of results. - `per_page: optional number` Show the number of results per page of results. - `total_count: optional number` Show the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/lists/$LIST_ID/items \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ [ { "created_at": "2014-01-01T05:20:00.12345Z", "description": "Austin office IP", "value": "8GE8721REF" } ] ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Domain Types ### Item List Response - `ItemListResponse = array of GatewayItem` Provide the list items. - `created_at: optional string` - `description: optional string` Provide the list item description (optional). - `value: optional string` Specify the item value. # Locations ## List Zero Trust Gateway locations **get** `/accounts/{account_id}/gateway/locations` List Zero Trust Gateway locations for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of Location` - `id: optional string` - `client_default: optional boolean` Indicate whether this location is the default location. - `created_at: optional string` - `dns_destination_ips_id: optional string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: optional string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: optional string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: optional boolean` Indicate whether the location must resolve EDNS queries. - `endpoints: optional Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip: optional string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: optional string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: optional string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: optional string` Specify the location name. - `networks: optional array of { network }` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: optional string` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/locations \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway location details **get** `/accounts/{account_id}/gateway/locations/{location_id}` Get a single Zero Trust Gateway location. ### Path Parameters - `account_id: string` - `location_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional Location` - `id: optional string` - `client_default: optional boolean` Indicate whether this location is the default location. - `created_at: optional string` - `dns_destination_ips_id: optional string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: optional string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: optional string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: optional boolean` Indicate whether the location must resolve EDNS queries. - `endpoints: optional Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip: optional string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: optional string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: optional string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: optional string` Specify the location name. - `networks: optional array of { network }` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/locations/$LOCATION_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a Zero Trust Gateway location **post** `/accounts/{account_id}/gateway/locations` Create a new Zero Trust Gateway location. ### Path Parameters - `account_id: string` ### Body Parameters - `name: string` Specify the location name. - `client_default: optional boolean` Indicate whether this location is the default location. - `dns_destination_ips_id: optional string` Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ecs_support: optional boolean` Indicate whether the location must resolve EDNS queries. - `endpoints: optional Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `networks: optional array of { network }` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional Location` - `id: optional string` - `client_default: optional boolean` Indicate whether this location is the default location. - `created_at: optional string` - `dns_destination_ips_id: optional string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: optional string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: optional string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: optional boolean` Indicate whether the location must resolve EDNS queries. - `endpoints: optional Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip: optional string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: optional string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: optional string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: optional string` Specify the location name. - `networks: optional array of { network }` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/locations \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Austin Office Location", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a Zero Trust Gateway location **put** `/accounts/{account_id}/gateway/locations/{location_id}` Update a configured Zero Trust Gateway location. ### Path Parameters - `account_id: string` - `location_id: string` ### Body Parameters - `name: string` Specify the location name. - `client_default: optional boolean` Indicate whether this location is the default location. - `dns_destination_ips_id: optional string` Specify the identifier of the pair of IPv4 addresses assigned to this location. When creating a location, if this field is absent or set to null, the pair of shared IPv4 addresses (0e4a32c6-6fb8-4858-9296-98f51631e8e6) is auto-assigned. When updating a location, if this field is absent or set to null, the pre-assigned pair remains unchanged. - `ecs_support: optional boolean` Indicate whether the location must resolve EDNS queries. - `endpoints: optional Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `networks: optional array of { network }` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional Location` - `id: optional string` - `client_default: optional boolean` Indicate whether this location is the default location. - `created_at: optional string` - `dns_destination_ips_id: optional string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: optional string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: optional string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: optional boolean` Indicate whether the location must resolve EDNS queries. - `endpoints: optional Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip: optional string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: optional string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: optional string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: optional string` Specify the location name. - `networks: optional array of { network }` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/locations/$LOCATION_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Austin Office Location", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "client_default": false, "created_at": "2014-01-01T05:20:00.12345Z", "dns_destination_ips_id": "0e4a32c6-6fb8-4858-9296-98f51631e8e6", "dns_destination_ipv6_block_id": "b08f7231-d458-495c-98ef-190604c9ee83", "doh_subdomain": "oli3n9zkz5", "ecs_support": false, "endpoints": { "doh": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ], "require_token": true }, "dot": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] }, "ipv4": { "enabled": true }, "ipv6": { "enabled": true, "networks": [ { "network": "2001:85a3::/64" } ] } }, "ip": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "ipv4_destination": "172.64.36.1", "ipv4_destination_backup": "172.64.36.2", "name": "Austin Office Location", "networks": [ { "network": "192.0.2.1/32" } ], "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a Zero Trust Gateway location **delete** `/accounts/{account_id}/gateway/locations/{location_id}` Delete a configured Zero Trust Gateway location. ### Path Parameters - `account_id: string` - `location_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/locations/$LOCATION_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### DOH Endpoint - `DOHEndpoint { enabled, networks, require_token }` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. ### DOT Endpoint - `DOTEndpoint { enabled, networks }` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. ### Endpoint - `Endpoint { doh, dot, ipv4, ipv6 }` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. ### IP Network - `IPNetwork { network }` - `network: string` Specify the IP address or IP CIDR. ### IPV4 Endpoint - `IPV4Endpoint { enabled }` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. ### IPV6 Endpoint - `IPV6Endpoint { enabled, networks }` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. ### IPV6 Network - `IPV6Network { network }` - `network: string` Specify the IPv6 address or IPv6 CIDR. ### Location - `Location { id, client_default, created_at, 11 more }` - `id: optional string` - `client_default: optional boolean` Indicate whether this location is the default location. - `created_at: optional string` - `dns_destination_ips_id: optional string` Indicate the identifier of the pair of IPv4 addresses assigned to this location. - `dns_destination_ipv6_block_id: optional string` Specify the UUID of the IPv6 block brought to the gateway so that this location's IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block. - `doh_subdomain: optional string` Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value. - `ecs_support: optional boolean` Indicate whether the location must resolve EDNS queries. - `endpoints: optional Endpoint` Configure the destination endpoints for this location. - `doh: DOHEndpoint` - `enabled: optional boolean` Indicate whether the DOH endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `require_token: optional boolean` Specify whether the DOH endpoint requires user identity authentication. - `dot: DOTEndpoint` - `enabled: optional boolean` Indicate whether the DOT endpoint is enabled for this location. - `networks: optional array of IPNetwork` Specify the list of allowed source IP network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IP address or IP CIDR. - `ipv4: IPV4Endpoint` - `enabled: optional boolean` Indicate whether the IPv4 endpoint is enabled for this location. - `ipv6: IPV6Endpoint` - `enabled: optional boolean` Indicate whether the IPV6 endpoint is enabled for this location. - `networks: optional array of IPV6Network` Specify the list of allowed source IPv6 network ranges for this endpoint. When the list is empty, the endpoint allows all source IPs. The list takes effect only if the endpoint is enabled for this location. - `network: string` Specify the IPv6 address or IPv6 CIDR. - `ip: optional string` Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location. - `ipv4_destination: optional string` Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `ipv4_destination_backup: optional string` Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only. - `name: optional string` Specify the location name. - `networks: optional array of { network }` Specify the list of network ranges from which requests at this location originate. The list takes effect only if it is non-empty and the IPv4 endpoint is enabled for this location. - `network: string` Specify the IPv4 address or IPv4 CIDR. Limit IPv4 CIDRs to a maximum of /24. - `updated_at: optional string` ### Location Delete Response - `LocationDeleteResponse = unknown` # Logging ## Get logging settings for the Zero Trust account **get** `/accounts/{account_id}/gateway/logging` Retrieve the current logging settings for the Zero Trust account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional LoggingSetting` - `redact_pii: optional boolean` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: optional { dns, http, l4 }` Configure logging settings for each rule type. - `dns: optional { log_all, log_blocks }` Configure logging settings for DNS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `http: optional { log_all, log_blocks }` Configure logging settings for HTTP/HTTPS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `l4: optional { log_all, log_blocks }` Configure logging settings for Network firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/logging \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Update Zero Trust account logging settings **put** `/accounts/{account_id}/gateway/logging` Update logging settings for the current Zero Trust account. ### Path Parameters - `account_id: string` ### Body Parameters - `redact_pii: optional boolean` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: optional { dns, http, l4 }` Configure logging settings for each rule type. - `dns: optional { log_all, log_blocks }` Configure logging settings for DNS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `http: optional { log_all, log_blocks }` Configure logging settings for HTTP/HTTPS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `l4: optional { log_all, log_blocks }` Configure logging settings for Network firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional LoggingSetting` - `redact_pii: optional boolean` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: optional { dns, http, l4 }` Configure logging settings for each rule type. - `dns: optional { log_all, log_blocks }` Configure logging settings for DNS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `http: optional { log_all, log_blocks }` Configure logging settings for HTTP/HTTPS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `l4: optional { log_all, log_blocks }` Configure logging settings for Network firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/logging \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "redact_pii": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "redact_pii": true, "settings_by_rule_type": { "dns": { "log_all": false, "log_blocks": true }, "http": { "log_all": false, "log_blocks": true }, "l4": { "log_all": false, "log_blocks": true } } } } ``` ## Domain Types ### Logging Setting - `LoggingSetting { redact_pii, settings_by_rule_type }` - `redact_pii: optional boolean` Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent). - `settings_by_rule_type: optional { dns, http, l4 }` Configure logging settings for each rule type. - `dns: optional { log_all, log_blocks }` Configure logging settings for DNS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `http: optional { log_all, log_blocks }` Configure logging settings for HTTP/HTTPS firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. - `l4: optional { log_all, log_blocks }` Configure logging settings for Network firewall. - `log_all: optional boolean` Specify whether to log all requests to this service. - `log_blocks: optional boolean` Specify whether to log only blocking requests to this service. # Proxy Endpoints ## List proxy endpoints **get** `/accounts/{account_id}/gateway/proxy_endpoints` List all Zero Trust Gateway proxy endpoints for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of ProxyEndpoint` - `IP { ips, name, id, 4 more }` - `ips: array of GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `kind: optional "ip"` The proxy endpoint kind - `"ip"` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` - `Identity { kind, name, id, 3 more }` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a proxy endpoint **get** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Get a single Zero Trust Gateway proxy endpoint. ### Path Parameters - `account_id: string` - `proxy_endpoint_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional ProxyEndpoint` - `IP { ips, name, id, 4 more }` - `ips: array of GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `kind: optional "ip"` The proxy endpoint kind - `"ip"` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` - `Identity { kind, name, id, 3 more }` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints/$PROXY_ENDPOINT_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Create a proxy endpoint **post** `/accounts/{account_id}/gateway/proxy_endpoints` Create a new Zero Trust Gateway proxy endpoint. ### Path Parameters - `account_id: string` ### Body Parameters - `body: { name, kind } or { kind, name }` - `IP { name, kind }` - `name: string` Specify the name of the proxy endpoint. - `kind: optional "ip"` The proxy endpoint kind - `"ip"` - `Identity { kind, name }` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional ProxyEndpoint` - `IP { ips, name, id, 4 more }` - `ips: array of GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `kind: optional "ip"` The proxy endpoint kind - `"ip"` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` - `Identity { kind, name, id, 3 more }` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Devops team", "kind": "ip" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Update a proxy endpoint **patch** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Update a configured Zero Trust Gateway proxy endpoint. ### Path Parameters - `account_id: string` - `proxy_endpoint_id: string` ### Body Parameters - `ips: optional array of GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `name: optional string` Specify the name of the proxy endpoint. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional ProxyEndpoint` - `IP { ips, name, id, 4 more }` - `ips: array of GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `kind: optional "ip"` The proxy endpoint kind - `"ip"` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` - `Identity { kind, name, id, 3 more }` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints/$PROXY_ENDPOINT_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "Devops team" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "ips": [ "192.0.2.1/32" ], "name": "Devops team", "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "kind": "ip", "subdomain": "oli3n9zkz5.proxy.cloudflare-gateway.com", "updated_at": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete a proxy endpoint **delete** `/accounts/{account_id}/gateway/proxy_endpoints/{proxy_endpoint_id}` Delete a configured Zero Trust Gateway proxy endpoint. ### Path Parameters - `account_id: string` - `proxy_endpoint_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints/$PROXY_ENDPOINT_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Gateway IPs - `GatewayIPs = string` Specify an IPv4 or IPv6 CIDR. Limit IPv6 to a maximum of /109 and IPv4 to a maximum of /25. ### Proxy Endpoint - `ProxyEndpoint = { ips, name, id, 4 more } or { kind, name, id, 3 more }` - `IP { ips, name, id, 4 more }` - `ips: array of GatewayIPs` Specify the list of CIDRs to restrict ingress connections. - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `kind: optional "ip"` The proxy endpoint kind - `"ip"` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` - `Identity { kind, name, id, 3 more }` - `kind: "identity"` The proxy endpoint kind - `"identity"` - `name: string` Specify the name of the proxy endpoint. - `id: optional string` - `created_at: optional string` - `subdomain: optional string` Specify the subdomain to use as the destination in the proxy client. - `updated_at: optional string` ### Proxy Endpoint Delete Response - `ProxyEndpointDeleteResponse = unknown` # Rules ## List Zero Trust Gateway rules **get** `/accounts/{account_id}/gateway/rules` List Zero Trust Gateway rules for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of GatewayRule` - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `deleted_at: optional string` Indicate the date of deletion, if any. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: optional boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: optional boolean` Indicate that this rule is sharable via the Orgs API. - `source_account: optional string` Provide the account tag of the account that created the rule. - `updated_at: optional string` - `version: optional number` Indicate the version number of the rule(read-only). - `warning_status: optional string` Indicate a warning for a misconfigured rule, if any. - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust Gateway rule details. **get** `/accounts/{account_id}/gateway/rules/{rule_id}` Get a single Zero Trust Gateway rule. ### Path Parameters - `account_id: string` - `rule_id: string` Identify the API resource with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewayRule` - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `deleted_at: optional string` Indicate the date of deletion, if any. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: optional boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: optional boolean` Indicate that this rule is sharable via the Orgs API. - `source_account: optional string` Provide the account tag of the account that created the rule. - `updated_at: optional string` - `version: optional number` Indicate the version number of the rule(read-only). - `warning_status: optional string` Indicate a warning for a misconfigured rule, if any. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules/$RULE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Create a Zero Trust Gateway rule **post** `/accounts/{account_id}/gateway/rules` Create a new Zero Trust Gateway rule. ### Path Parameters - `account_id: string` ### Body Parameters - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `name: string` Specify the rule name. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `enabled: optional boolean` Specify whether the rule is enabled. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `filters: optional array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `precedence: optional number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `traffic: optional string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewayRule` - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `deleted_at: optional string` Indicate the date of deletion, if any. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: optional boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: optional boolean` Indicate that this rule is sharable via the Orgs API. - `source_account: optional string` Provide the account tag of the account that created the rule. - `updated_at: optional string` - `version: optional number` Indicate the version number of the rule(read-only). - `warning_status: optional string` Indicate a warning for a misconfigured rule, if any. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "action": "allow", "name": "block bad websites", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\\"1308749e-fcfb-4ebc-b051-fe022b632644\\"})", "enabled": true, "filters": [ "http" ], "identity": "any(identity.groups.name[*] in {\\"finance\\"})", "traffic": "http.request.uri matches \\".*a/partial/uri.*\\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Update a Zero Trust Gateway rule **put** `/accounts/{account_id}/gateway/rules/{rule_id}` Update a configured Zero Trust Gateway rule. ### Path Parameters - `account_id: string` - `rule_id: string` Identify the API resource with a UUID. ### Body Parameters - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `name: string` Specify the rule name. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `enabled: optional boolean` Specify whether the rule is enabled. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `filters: optional array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `precedence: optional number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `traffic: optional string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewayRule` - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `deleted_at: optional string` Indicate the date of deletion, if any. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: optional boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: optional boolean` Indicate that this rule is sharable via the Orgs API. - `source_account: optional string` Provide the account tag of the account that created the rule. - `updated_at: optional string` - `version: optional number` Indicate the version number of the rule(read-only). - `warning_status: optional string` Indicate a warning for a misconfigured rule, if any. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules/$RULE_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "action": "allow", "name": "block bad websites", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\\"1308749e-fcfb-4ebc-b051-fe022b632644\\"})", "enabled": true, "filters": [ "http" ], "identity": "any(identity.groups.name[*] in {\\"finance\\"})", "traffic": "http.request.uri matches \\".*a/partial/uri.*\\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Delete a Zero Trust Gateway rule **delete** `/accounts/{account_id}/gateway/rules/{rule_id}` Delete a Zero Trust Gateway rule. ### Path Parameters - `account_id: string` - `rule_id: string` Identify the API resource with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules/$RULE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## List Zero Trust Gateway rules inherited from the parent account **get** `/accounts/{account_id}/gateway/rules/tenant` List Zero Trust Gateway rules for the parent account of an account in the MSP configuration. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of GatewayRule` - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `deleted_at: optional string` Indicate the date of deletion, if any. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: optional boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: optional boolean` Indicate that this rule is sharable via the Orgs API. - `source_account: optional string` Provide the account tag of the account that created the rule. - `updated_at: optional string` - `version: optional number` Indicate the version number of the rule(read-only). - `warning_status: optional string` Indicate a warning for a misconfigured rule, if any. - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules/tenant \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Reset the expiration of a Zero Trust Gateway Rule **post** `/accounts/{account_id}/gateway/rules/{rule_id}/reset_expiration` Resets the expiration of a Zero Trust Gateway Rule if its duration elapsed and it has a default duration. The Zero Trust Gateway Rule must have values for both `expiration.expires_at` and `expiration.duration`. ### Path Parameters - `account_id: string` - `rule_id: string` Identify the API resource with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional GatewayRule` - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `deleted_at: optional string` Indicate the date of deletion, if any. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: optional boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: optional boolean` Indicate that this rule is sharable via the Orgs API. - `source_account: optional string` Provide the account tag of the account that created the rule. - `updated_at: optional string` - `version: optional number` Indicate the version number of the rule(read-only). - `warning_status: optional string` Indicate a warning for a misconfigured rule, if any. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/rules/$RULE_ID/reset_expiration \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "action": "allow", "enabled": true, "filters": [ "http" ], "name": "block bad websites", "precedence": 0, "traffic": "http.request.uri matches \".*a/partial/uri.*\" and http.request.host in $01302951-49f9-47c9-a400-0297e60b6a10", "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "created_at": "2014-01-01T05:20:00.12345Z", "deleted_at": "2019-12-27T18:11:19.117Z", "description": "Block bad websites based on their host name.", "device_posture": "any(device_posture.checks.passed[*] in {\"1308749e-fcfb-4ebc-b051-fe022b632644\"})", "expiration": { "expires_at": "2014-01-01T05:20:20Z", "duration": 10, "expired": false }, "identity": "any(identity.groups.name[*] in {\"finance\"})", "read_only": true, "rule_settings": { "add_headers": { "My-Next-Header": [ "foo", "bar" ], "X-Custom-Header-Name": [ "somecustomvalue" ] }, "allow_child_bypass": false, "audit_ssh": { "command_logging": false }, "biso_admin_controls": { "copy": "remote_only", "dcp": true, "dd": true, "dk": true, "download": "enabled", "dp": false, "du": true, "keyboard": "enabled", "paste": "enabled", "printing": "enabled", "upload": "enabled", "version": "v1" }, "block_page": { "target_uri": "https://example.com", "include_context": true }, "block_page_enabled": true, "block_reason": "This website is a security risk", "bypass_parent_rule": false, "check_session": { "duration": "300s", "enforce": true }, "dns_resolvers": { "ipv4": [ { "ip": "2.2.2.2", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ], "ipv6": [ { "ip": "2001:DB8::", "port": 5053, "route_through_private_network": true, "vnet_id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415" } ] }, "egress": { "ipv4": "192.0.2.2", "ipv4_fallback": "192.0.2.3", "ipv6": "2001:DB8::/64" }, "forensic_copy": { "enabled": true }, "ignore_cname_category_matches": true, "insecure_disable_dnssec_validation": false, "ip_categories": true, "ip_indicator_feeds": true, "l4override": { "ip": "1.1.1.1", "port": 0 }, "notification_settings": { "enabled": true, "include_context": true, "msg": "msg", "support_url": "support_url" }, "override_host": "example.com", "override_ips": [ "1.1.1.1", "2.2.2.2" ], "payload_log": { "enabled": true }, "quarantine": { "file_types": [ "exe" ] }, "redirect": { "target_uri": "https://example.com", "include_context": true, "preserve_path_and_query": true }, "resolve_dns_internally": { "fallback": "none", "view_id": "view_id" }, "resolve_dns_through_cloudflare": true, "untrusted_cert": { "action": "error" } }, "schedule": { "fri": "08:00-12:30,13:30-17:00", "mon": "08:00-12:30,13:30-17:00", "sat": "08:00-12:30,13:30-17:00", "sun": "08:00-12:30,13:30-17:00", "thu": "08:00-12:30,13:30-17:00", "time_zone": "America/New York", "tue": "08:00-12:30,13:30-17:00", "wed": "08:00-12:30,13:30-17:00" }, "sharable": true, "source_account": "source_account", "updated_at": "2014-01-01T05:20:00.12345Z", "version": 1, "warning_status": "warning_status" } } ``` ## Domain Types ### DNS Resolver Settings V4 - `DNSResolverSettingsV4 { ip, port, route_through_private_network, vnet_id }` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### DNS Resolver Settings V6 - `DNSResolverSettingsV6 { ip, port, route_through_private_network, vnet_id }` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. ### Gateway Filter - `GatewayFilter = "http" or "dns" or "l4" or 2 more` Specify the protocol or layer to use. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` ### Gateway Rule - `GatewayRule { action, enabled, filters, 18 more }` - `action: "on" or "off" or "allow" or 13 more` Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to `true`. - `"on"` - `"off"` - `"allow"` - `"block"` - `"scan"` - `"noscan"` - `"safesearch"` - `"ytrestricted"` - `"isolate"` - `"noisolate"` - `"override"` - `"l4_override"` - `"egress"` - `"resolve"` - `"quarantine"` - `"redirect"` - `enabled: boolean` Specify whether the rule is enabled. - `filters: array of GatewayFilter` Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value. - `"http"` - `"dns"` - `"l4"` - `"egress"` - `"dns_resolver"` - `name: string` Specify the rule name. - `precedence: number` Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to [Order of enforcement](http://developers.cloudflare.com/learning-paths/secure-internet-traffic/understand-policies/order-of-enforcement/#manage-precedence-with-terraform) to manage precedence via Terraform. - `traffic: string` Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `id: optional string` Identify the API resource with a UUID. - `created_at: optional string` - `deleted_at: optional string` Indicate the date of deletion, if any. - `description: optional string` Specify the rule description. - `device_posture: optional string` Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `expiration: optional { expires_at, duration, expired }` Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy's `schedule` configuration, if any. This does not apply to HTTP or network policies. Settable only for `dns` rules. - `expires_at: string` Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time. - `duration: optional number` Defines the default duration a policy active in minutes. Must set in order to use the `reset_expiration` endpoint on this rule. - `expired: optional boolean` Indicates whether the policy is expired. - `identity: optional string` Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response. - `read_only: optional boolean` Indicate that this rule is shared via the Orgs API and read only. - `rule_settings: optional RuleSetting` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` - `schedule: optional Schedule` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sharable: optional boolean` Indicate that this rule is sharable via the Orgs API. - `source_account: optional string` Provide the account tag of the account that created the rule. - `updated_at: optional string` - `version: optional number` Indicate the version number of the rule(read-only). - `warning_status: optional string` Indicate a warning for a misconfigured rule, if any. ### Rule Setting - `RuleSetting { add_headers, allow_child_bypass, audit_ssh, 23 more }` Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift. - `add_headers: optional map[array of string]` Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for `http` rules with the action set to `allow`. - `allow_child_bypass: optional boolean` Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules. - `audit_ssh: optional { command_logging }` Define the settings for the Audit SSH action. Settable only for `l4` rules with `audit_ssh` action. - `command_logging: optional boolean` Enable SSH command logging. - `biso_admin_controls: optional { copy, dcp, dd, 9 more }` Configure browser isolation behavior. Settable only for `http` rules with the action set to `isolate`. - `copy: optional "enabled" or "disabled" or "remote_only"` Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dcp: optional boolean` Set to false to enable copy-pasting. Only applies when `version == "v1"`. - `dd: optional boolean` Set to false to enable downloading. Only applies when `version == "v1"`. - `dk: optional boolean` Set to false to enable keyboard usage. Only applies when `version == "v1"`. - `download: optional "enabled" or "disabled" or "remote_only"` Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `dp: optional boolean` Set to false to enable printing. Only applies when `version == "v1"`. - `du: optional boolean` Set to false to enable uploading. Only applies when `version == "v1"`. - `keyboard: optional "enabled" or "disabled"` Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `paste: optional "enabled" or "disabled" or "remote_only"` Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `"remote_only"` - `printing: optional "enabled" or "disabled"` Configure print behavior. Default, Printing is enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `upload: optional "enabled" or "disabled"` Configure upload behavior. If this field is absent, uploading remains enabled. Applies only when version == "v2". - `"enabled"` - `"disabled"` - `version: optional "v1" or "v2"` Indicate which version of the browser isolation controls should apply. - `"v1"` - `"v2"` - `block_page: optional { target_uri, include_context }` Configure custom block page settings. If missing or null, use the account settings. Settable only for `http` rules with the action set to `block`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `block_page_enabled: optional boolean` Enable the custom block page. Settable only for `dns` rules with action `block`. - `block_reason: optional string` Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for `dns`, `l4`, and `http` rules when the action set to `block`. - `bypass_parent_rule: optional boolean` Set to enable MSP accounts to bypass their parent's rules. Only MSP child accounts can set this. Settable for all types of rules. - `check_session: optional { duration, enforce }` Configure session check behavior. Settable only for `l4` and `http` rules with the action set to `allow`. - `duration: optional string` Sets the required session freshness threshold. The API returns a normalized version of this value. - `enforce: optional boolean` Enable session enforcement. - `dns_resolvers: optional { ipv4, ipv6 }` Configure custom resolvers to route queries that match the resolver policy. Unused with 'resolve_dns_through_cloudflare' or 'resolve_dns_internally' settings. DNS queries get routed to the address closest to their origin. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `ipv4: optional array of DNSResolverSettingsV4` - `ip: string` Specify the IPv4 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `ipv6: optional array of DNSResolverSettingsV6` - `ip: string` Specify the IPv6 address of the upstream resolver. - `port: optional number` Specify a port number to use for the upstream resolver. Defaults to 53 if unspecified. - `route_through_private_network: optional boolean` Indicate whether to connect to this resolver over a private network. Must set when vnet_id set. - `vnet_id: optional string` Specify an optional virtual network for this resolver. Uses default virtual network id if omitted. - `egress: optional { ipv4, ipv4_fallback, ipv6 }` Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for `egress` rules. - `ipv4: optional string` Specify the IPv4 address to use for egress. - `ipv4_fallback: optional string` Specify the fallback IPv4 address to use for egress when the primary IPv4 fails. Set '0.0.0.0' to indicate local egress via WARP IPs. - `ipv6: optional string` Specify the IPv6 range to use for egress. - `forensic_copy: optional { enabled }` Configure whether a copy of the HTTP request will be sent to storage when the rule matches. - `enabled: optional boolean` Enable sending the copy to storage. - `ignore_cname_category_matches: optional boolean` Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for `dns` and `dns_resolver` rules. - `insecure_disable_dnssec_validation: optional boolean` Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for `dns` rules. - `ip_categories: optional boolean` Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for `dns` and `dns_resolver` rules. - `ip_indicator_feeds: optional boolean` Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for `dns` and `dns_resolver` rules. - `l4override: optional { ip, port }` Send matching traffic to the supplied destination IP address and port. Settable only for `l4` rules with the action set to `l4_override`. - `ip: optional string` Defines the IPv4 or IPv6 address. - `port: optional number` Defines a port number to use for TCP/UDP overrides. - `notification_settings: optional { enabled, include_context, msg, support_url }` Configure a notification to display on the user's device when this rule matched. Settable for all types of rules with the action set to `block`. - `enabled: optional boolean` Enable notification. - `include_context: optional boolean` Indicates whether to pass the context information as query parameters. - `msg: optional string` Customize the message shown in the notification. - `support_url: optional string` Defines an optional URL to direct users to additional information. If unset, the notification opens a block page. - `override_host: optional string` Defines a hostname for override, for the matching DNS queries. Settable only for `dns` rules with the action set to `override`. - `override_ips: optional array of string` Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for `dns` rules with the action set to `override`. - `payload_log: optional { enabled }` Configure DLP payload logging. Settable only for `http` rules. - `enabled: optional boolean` Enable DLP payload logging for this rule. - `quarantine: optional { file_types }` Configure settings that apply to quarantine rules. Settable only for `http` rules. - `file_types: optional array of "exe" or "pdf" or "doc" or 10 more` Specify the types of files to sandbox. - `"exe"` - `"pdf"` - `"doc"` - `"docm"` - `"docx"` - `"rtf"` - `"ppt"` - `"pptx"` - `"xls"` - `"xlsm"` - `"xlsx"` - `"zip"` - `"rar"` - `redirect: optional { target_uri, include_context, preserve_path_and_query }` Apply settings to redirect rules. Settable only for `http` rules with the action set to `redirect`. - `target_uri: string` Specify the URI to which the user is redirected. - `include_context: optional boolean` Specify whether to pass the context information as query parameters. - `preserve_path_and_query: optional boolean` Specify whether to append the path and query parameters from the original request to target_uri. - `resolve_dns_internally: optional { fallback, view_id }` Configure to forward the query to the internal DNS service, passing the specified 'view_id' as input. Not used when 'dns_resolvers' is specified or 'resolve_dns_through_cloudflare' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `fallback: optional "none" or "public_dns"` Specify the fallback behavior to apply when the internal DNS response code differs from 'NOERROR' or when the response data contains only CNAME records for 'A' or 'AAAA' queries. - `"none"` - `"public_dns"` - `view_id: optional string` Specify the internal DNS view identifier to pass to the internal DNS service. - `resolve_dns_through_cloudflare: optional boolean` Enable to send queries that match the policy to Cloudflare's default 1.1.1.1 DNS resolver. Cannot set when 'dns_resolvers' specified or 'resolve_dns_internally' is set. Only valid when a rule's action set to 'resolve'. Settable only for `dns_resolver` rules. - `untrusted_cert: optional { action }` Configure behavior when an upstream certificate is invalid or an SSL error occurs. Settable only for `http` rules with the action set to `allow`. - `action: optional "pass_through" or "block" or "error"` Defines the action performed when an untrusted certificate seen. The default action an error with HTTP code 526. - `"pass_through"` - `"block"` - `"error"` ### Schedule - `Schedule { fri, mon, sat, 5 more }` Defines the schedule for activating DNS policies. Settable only for `dns` and `dns_resolver` rules. - `fri: optional string` Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `mon: optional string` Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sat: optional string` Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `sun: optional string` Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `thu: optional string` Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `time_zone: optional string` Specify the time zone for rule evaluation. When a [valid time zone city name](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List) is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user's IP address. Colo time zone is used when the user's IP address does not resolve to a location. - `tue: optional string` Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. - `wed: optional string` Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used. ### Rule Delete Response - `RuleDeleteResponse = unknown` # Certificates ## List Zero Trust certificates **get** `/accounts/{account_id}/gateway/certificates` List all Zero Trust certificates for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get Zero Trust certificate details **get** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Get a single Zero Trust certificate. ### Path Parameters - `account_id: string` - `certificate_id: string` Identify the certificate with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Create Zero Trust certificate **post** `/accounts/{account_id}/gateway/certificates` Create a new Zero Trust certificate. ### Path Parameters - `account_id: string` ### Body Parameters - `validity_period_days: optional number` Sets the certificate validity period in days (range: 1-10,950 days / ~30 years). Defaults to 1,825 days (5 years). **Important**: This field is only settable during the certificate creation. Certificates becomes immutable after creation - use the `/activate` and `/deactivate` endpoints to manage certificate lifecycle. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Delete Zero Trust certificate **delete** `/accounts/{account_id}/gateway/certificates/{certificate_id}` Delete a gateway-managed Zero Trust certificate. You must deactivate the certificate from the edge (inactive) before deleting it. ### Path Parameters - `account_id: string` - `certificate_id: string` Identify the certificate with a UUID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Activate a Zero Trust certificate **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/activate` Bind a single Zero Trust certificate to the edge. ### Path Parameters - `account_id: string` - `certificate_id: string` Identify the certificate with a UUID. ### Body Parameters - `body: unknown` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/activate \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Deactivate a Zero Trust certificate **post** `/accounts/{account_id}/gateway/certificates/{certificate_id}/deactivate` Unbind a single Zero Trust certificate from the edge. ### Path Parameters - `account_id: string` - `certificate_id: string` Identify the certificate with a UUID. ### Body Parameters - `body: unknown` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/certificates/$CERTIFICATE_ID/deactivate \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{}' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415", "binding_status": "pending_deployment", "certificate": "-----BEGIN CERTIFICATE-----\\nMIIDmDCCAoCgAwIBAgIUKTOAZNjcXVZRj4oQt0SHsl1c1vMwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjAgFw0yMjExMjIxNjU5NDdaGA8yMTIyMTAyOTE2NTk0N1owUTELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDVNhbiBGcmFuY2lzY28xEzARBgNVBAcMCkNhbGlmb3JuaWExFTATBgNVBAoMDEV4YW1wbGUgSW5jLjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMRcORwgJFTdcG/2GKI+cFYiOBNDKjCZUXEOvXWY42BkH9wxiMT869CO+enA1w5pIrXow6kCM1sQspHHaVmJUlotEMJxyoLFfA/8Kt1EKFyobOjuZs2SwyVyJ2sStvQuUQEosULZCNGZEqoH5g6zhMPxaxm7ZLrrsDZ9maNGVqo7EWLWHrZ57Q/5MtTrbxQL+eXjUmJ9K3kS+3uEwMdqR6Z3BluU1ivanpPc1CN2GNhdO0/hSY4YkGEnuLsqJyDd3cIiB1MxuCBJ4ZaqOd2viV1WcP3oU3dxVPm4MWyfYIldMWB14FahScxLhWdRnM9YZ/i9IFcLypXsuz7DjrJPtPUCAwEAAaNmMGQwHQYDVR0OBBYEFP5JzLUawNF+c3AXsYTEWHh7z2czMB8GA1UdIwQYMBaAFP5JzLUawNF+c3AXsYTEWHh7z2czMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEBMA0GCSqGSIb3DQEBCwUAA4IBAQBc+Be7NDhpE09y7hLPZGRPl1cSKBw4RI0XIv6rlbSTFs5EebpTGjhx/whNxwEZhB9HZ7111Oa1YlT8xkI9DshB78mjAHCKBAJ76moK8tkG0aqdYpJ4ZcJTVBB7l98Rvgc7zfTii7WemTy72deBbSeiEtXavm4EF0mWjHhQ5Nxpnp00Bqn5g1x8CyTDypgmugnep+xG+iFzNmTdsz7WI9T/7kDMXqB7M/FPWBORyS98OJqNDswCLF8bIZYwUBEe+bRHFomoShMzaC3tvim7WCb16noDkSTMlfKO4pnvKhpcVdSgwcruATV7y+W+Lvmz2OT/Gui4JhqeoTewsxndhDDE\\n-----END CERTIFICATE-----\\n", "created_at": "2014-01-01T05:20:00.12345Z", "expires_on": "2014-01-01T05:20:00.12345Z", "fingerprint": "E9:19:49:AA:DD:D8:1E:C1:20:2A:D8:22:BF:A5:F8:FC:1A:F7:10:9F:C7:5B:69:AB:0:31:91:8B:61:B4:BF:1C", "in_use": true, "issuer_org": "Example Inc.", "issuer_raw": "O=Example Inc.,L=California,ST=San Francisco,C=US", "type": "gateway_managed", "updated_at": "2014-01-01T05:20:00.12345Z", "uploaded_on": "2014-01-01T05:20:00.12345Z" } } ``` ## Domain Types ### Certificate List Response - `CertificateListResponse { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Certificate Get Response - `CertificateGetResponse { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Certificate Create Response - `CertificateCreateResponse { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Certificate Delete Response - `CertificateDeleteResponse { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Certificate Activate Response - `CertificateActivateResponse { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` ### Certificate Deactivate Response - `CertificateDeactivateResponse { id, binding_status, certificate, 9 more }` - `id: optional string` Identify the certificate with a UUID. - `binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"` Indicate the read-only deployment status of the certificate on Cloudflare's edge. Gateway TLS interception can use certificates in the 'available' (previously called 'active') state. - `"pending_deployment"` - `"available"` - `"pending_deletion"` - `"inactive"` - `certificate: optional string` Provide the CA certificate (read-only). - `created_at: optional string` - `expires_on: optional string` - `fingerprint: optional string` Provide the SHA256 fingerprint of the certificate (read-only). - `in_use: optional boolean` Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named `certificate` (read-only). - `issuer_org: optional string` Indicate the organization that issued the certificate (read-only). - `issuer_raw: optional string` Provide the entire issuer field of the certificate (read-only). - `type: optional "custom" or "gateway_managed"` Indicate the read-only certificate type, BYO-PKI (custom) or Gateway-managed. - `"custom"` - `"gateway_managed"` - `updated_at: optional string` - `uploaded_on: optional string` # Pacfiles ## List PAC files **get** `/accounts/{account_id}/gateway/pacfiles` List all Zero Trust Gateway PAC files for an account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional array of { id, created_at, description, 4 more }` - `id: optional string` - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Indicate the total number of results for the requested service. - `page: optional number` Indicate the current page within a paginated list of results. - `per_page: optional number` Indicate the number of results per page. - `total_count: optional number` Indicate the total results available without any search parameters. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/pacfiles \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "ed35569b41ce4d1facfe683550f54086", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } ], "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a PAC file **get** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Get a single Zero Trust Gateway PAC file. ### Path Parameters - `account_id: string` - `pacfile_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, contents, created_at, 5 more }` - `id: optional string` - `contents: optional string` Actual contents of the PAC file - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/pacfiles/$PACFILE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Create a PAC file **post** `/accounts/{account_id}/gateway/pacfiles` Create a new Zero Trust Gateway PAC file. ### Path Parameters - `account_id: string` ### Body Parameters - `contents: string` Actual contents of the PAC file - `name: string` Name of the PAC file. - `description: optional string` Detailed description of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. If not provided, it will be auto-generated ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, contents, created_at, 5 more }` - `id: optional string` - `contents: optional string` Actual contents of the PAC file - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/pacfiles \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "contents": "function FindProxyForURL(url, host) { return \\"DIRECT\\"; }", "name": "Devops team", "description": "PAC file for Devops team", "slug": "pac_devops" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Update a Zero Trust Gateway PAC file **put** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Update a configured Zero Trust Gateway PAC file. ### Path Parameters - `account_id: string` - `pacfile_id: string` ### Body Parameters - `contents: string` Actual contents of the PAC file - `description: string` Detailed description of the PAC file. - `name: string` Name of the PAC file. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional { id, contents, created_at, 5 more }` - `id: optional string` - `contents: optional string` Actual contents of the PAC file - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/pacfiles/$PACFILE_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "contents": "function FindProxyForURL(url, host) { return \\"DIRECT\\"; }", "description": "PAC file for Devops team", "name": "Devops team" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "ed35569b41ce4d1facfe683550f54086", "contents": "function FindProxyForURL(url, host) { return \"DIRECT\"; }", "created_at": "2014-01-01T05:20:00.12345Z", "description": "PAC file for Devops team", "name": "Devops team", "slug": "pac_devops", "updated_at": "2014-01-01T05:20:00.12345Z", "url": "https://pac.cloudflare-gateway.com/699d98642c564d2e855e9661899b7252/pac_devops" } } ``` ## Delete a PAC file **delete** `/accounts/{account_id}/gateway/pacfiles/{pacfile_id}` Delete a configured Zero Trust Gateway PAC file. ### Path Parameters - `account_id: string` - `pacfile_id: string` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `success: true` Indicate whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/pacfiles/$PACFILE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Pacfile List Response - `PacfileListResponse { id, created_at, description, 4 more }` - `id: optional string` - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. ### Pacfile Get Response - `PacfileGetResponse { id, contents, created_at, 5 more }` - `id: optional string` - `contents: optional string` Actual contents of the PAC file - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. ### Pacfile Create Response - `PacfileCreateResponse { id, contents, created_at, 5 more }` - `id: optional string` - `contents: optional string` Actual contents of the PAC file - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. ### Pacfile Update Response - `PacfileUpdateResponse { id, contents, created_at, 5 more }` - `id: optional string` - `contents: optional string` Actual contents of the PAC file - `created_at: optional string` - `description: optional string` Detailed description of the PAC file. - `name: optional string` Name of the PAC file. - `slug: optional string` URL-friendly version of the PAC file name. - `updated_at: optional string` - `url: optional string` Unique URL to download the PAC file. ### Pacfile Delete Response - `PacfileDeleteResponse = unknown` # Networks # Routes ## List tunnel routes **get** `/accounts/{account_id}/teamnet/routes` Lists and filters private network routes in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Query Parameters - `comment: optional string` Optional remark describing the route. - `existed_at: optional string` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `is_deleted: optional boolean` If `true`, only include deleted routes. If `false`, exclude deleted routes. If empty, all routes will be included. - `network_subset: optional string` If set, only list routes that are contained within this IP range. - `network_superset: optional string` If set, only list routes that contain this IP range. - `page: optional number` Page number of paginated results. - `per_page: optional number` Number of results to display. - `route_id: optional string` UUID of the route. - `tun_types: optional array of "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The types of tunnels to filter by, separated by commas. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of Teamnet` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `virtual_network_name: optional string` A user-friendly name for the virtual network. - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get tunnel route **get** `/accounts/{account_id}/teamnet/routes/{route_id}` Get a private network route in an account. ### Path Parameters - `account_id: string` Cloudflare account ID - `route_id: string` UUID of the route. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Route` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Create a tunnel route **post** `/accounts/{account_id}/teamnet/routes` Routes a private network through a Cloudflare Tunnel. ### Path Parameters - `account_id: string` Cloudflare account ID ### Body Parameters - `network: string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: string` UUID of the tunnel. - `comment: optional string` Optional remark describing the route. - `virtual_network_id: optional string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Route` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route **patch** `/accounts/{account_id}/teamnet/routes/{route_id}` Updates an existing private network route in an account. The fields that are meant to be updated should be provided in the body of the request. ### Path Parameters - `account_id: string` Cloudflare account ID - `route_id: string` UUID of the route. ### Body Parameters - `comment: optional string` Optional remark describing the route. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Route` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comment": "Example comment for this route.", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route **delete** `/accounts/{account_id}/teamnet/routes/{route_id}` Deletes a private network route from an account. ### Path Parameters - `account_id: string` Cloudflare account ID - `route_id: string` UUID of the route. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Route` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/$ROUTE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Domain Types ### Network Route - `NetworkRoute { id, comment, created_at, 4 more }` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. ### Route - `Route { id, comment, created_at, 4 more }` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. ### Teamnet - `Teamnet { id, comment, created_at, 7 more }` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `virtual_network_name: optional string` A user-friendly name for the virtual network. # IPs ## Get tunnel route by IP **get** `/accounts/{account_id}/teamnet/routes/ip/{ip}` Fetches routes that contain the given IP address. ### Path Parameters - `account_id: string` Cloudflare account ID - `ip: string` ### Query Parameters - `default_virtual_network_fallback: optional boolean` When the virtual_network_id parameter is not provided the request filter will default search routes that are in the default virtual network for the account. If this parameter is set to false, the search will include routes that do not have a virtual network. - `virtual_network_id: optional string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Teamnet` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `virtual_network_name: optional string` A user-friendly name for the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/ip/$IP \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tun_type": "cfd_tunnel", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "blog", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_name": "us-east-1-vpc" }, "success": true } ``` # Networks ## Create a tunnel route (CIDR Endpoint) **post** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Routes a private network through a Cloudflare Tunnel. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Path Parameters - `account_id: string` Cloudflare account ID - `ip_network_encoded: string` IP/CIDR range in URL-encoded format ### Body Parameters - `tunnel_id: string` UUID of the tunnel. - `comment: optional string` Optional remark describing the route. - `virtual_network_id: optional string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Route` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/network/$IP_NETWORK_ENCODED \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Update a tunnel route (CIDR Endpoint) **patch** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Updates an existing private network route in an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. ### Path Parameters - `account_id: string` Cloudflare account ID - `ip_network_encoded: string` IP/CIDR range in URL-encoded format ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Route` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/network/$IP_NETWORK_ENCODED \ -X PATCH \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` ## Delete a tunnel route (CIDR Endpoint) **delete** `/accounts/{account_id}/teamnet/routes/network/{ip_network_encoded}` Deletes a private network route from an account. The CIDR in `ip_network_encoded` must be written in URL-encoded format. If no virtual_network_id is provided it will delete the route from the default vnet. If no tun_type is provided it will fetch the type from the tunnel_id or if that is missing it will assume Cloudflare Tunnel as default. If tunnel_id is provided it will delete the route from that tunnel, otherwise it will delete the route based on the vnet and tun_type. ### Path Parameters - `account_id: string` Cloudflare account ID - `ip_network_encoded: string` IP/CIDR range in URL-encoded format ### Query Parameters - `tun_type: optional "cfd_tunnel" or "warp_connector" or "warp" or 4 more` The type of tunnel. - `"cfd_tunnel"` - `"warp_connector"` - `"warp"` - `"magic"` - `"ip_sec"` - `"gre"` - `"cni"` - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Route` - `id: optional string` UUID of the route. - `comment: optional string` Optional remark describing the route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `network: optional string` The private IPv4 or IPv6 range connected by the route, in CIDR notation. - `tunnel_id: optional string` UUID of the tunnel. - `virtual_network_id: optional string` UUID of the virtual network. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/routes/network/$IP_NETWORK_ENCODED \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Example comment for this route.", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "network": "172.16.0.0/16", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "virtual_network_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }, "success": true } ``` # Virtual Networks ## List virtual networks **get** `/accounts/{account_id}/teamnet/virtual_networks` Lists and filters virtual networks in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Query Parameters - `id: optional string` UUID of the virtual network. - `is_default: optional boolean` If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `is_default_network: optional boolean` If `true`, only include the default virtual network. If `false`, exclude the default virtual network. If empty, all virtual networks will be included. - `is_deleted: optional boolean` If `true`, only include deleted virtual networks. If `false`, exclude deleted virtual networks. If empty, all virtual networks will be included. - `name: optional string` A user-friendly name for the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get a virtual network **get** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Get a virtual network. ### Path Parameters - `account_id: string` Cloudflare account ID - `virtual_network_id: string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks/$VIRTUAL_NETWORK_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Create a virtual network **post** `/accounts/{account_id}/teamnet/virtual_networks` Adds a new virtual network to an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Body Parameters - `name: string` A user-friendly name for the virtual network. - `comment: optional string` Optional remark describing the virtual network. - `is_default: optional boolean` If `true`, this virtual network is the default for the account. - `is_default_network: optional boolean` If `true`, this virtual network is the default for the account. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "us-east-1-vpc", "comment": "Staging VPC for data science", "is_default": true }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Update a virtual network **patch** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Updates an existing virtual network. ### Path Parameters - `account_id: string` Cloudflare account ID - `virtual_network_id: string` UUID of the virtual network. ### Body Parameters - `comment: optional string` Optional remark describing the virtual network. - `is_default_network: optional boolean` If `true`, this virtual network is the default for the account. - `name: optional string` A user-friendly name for the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks/$VIRTUAL_NETWORK_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comment": "Staging VPC for data science", "name": "us-east-1-vpc" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Delete a virtual network **delete** `/accounts/{account_id}/teamnet/virtual_networks/{virtual_network_id}` Deletes an existing virtual network. ### Path Parameters - `account_id: string` Cloudflare account ID - `virtual_network_id: string` UUID of the virtual network. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: VirtualNetwork` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks/$VIRTUAL_NETWORK_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "Staging VPC for data science", "created_at": "2021-01-25T18:22:34.317854Z", "is_default_network": true, "name": "us-east-1-vpc", "deleted_at": "2009-11-10T23:00:00.000000Z" }, "success": true } ``` ## Domain Types ### Virtual Network - `VirtualNetwork { id, comment, created_at, 3 more }` - `id: string` UUID of the virtual network. - `comment: string` Optional remark describing the virtual network. - `created_at: string` Timestamp of when the resource was created. - `is_default_network: boolean` If `true`, this virtual network is the default for the account. - `name: string` A user-friendly name for the virtual network. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. # Subnets ## List Subnets **get** `/accounts/{account_id}/zerotrust/subnets` Lists and filters subnets in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Query Parameters - `address_family: optional "v4" or "v6"` If set, only include subnets in the given address family - `v4` or `v6` - `"v4"` - `"v6"` - `comment: optional string` If set, only list subnets with the given comment. - `existed_at: optional string` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `is_default_network: optional boolean` If `true`, only include default subnets. If `false`, exclude default subnets subnets. If not set, all subnets will be included. - `is_deleted: optional boolean` If `true`, only include deleted subnets. If `false`, exclude deleted subnets. If not set, all subnets will be included. - `name: optional string` If set, only list subnets with the given name - `network: optional string` If set, only list the subnet whose network exactly matches the given CIDR. - `page: optional number` Page number of paginated results. - `per_page: optional number` Number of results to display. - `sort_order: optional "asc" or "desc"` Sort order of the results. `asc` means oldest to newest, `desc` means newest to oldest. If not set, they will not be in any particular order. - `"asc"` - `"desc"` - `subnet_types: optional "cloudflare_source" or "warp"` If set, the types of subnets to include, separated by comma. - `"cloudflare_source"` - `"warp"` ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of Subnet` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` # WARP ## Create WARP IP subnet **post** `/accounts/{account_id}/zerotrust/subnets/warp` Create a WARP IP assignment subnet. Currently, only IPv4 subnets can be created. **Network constraints:** - The network must be within one of the following private IP ranges: - `10.0.0.0/8` (RFC 1918) - `172.16.0.0/12` (RFC 1918) - `192.168.0.0/16` (RFC 1918) - `100.64.0.0/10` (RFC 6598 - CGNAT) - The subnet must have a prefix length of `/24` or larger (e.g., `/16`, `/20`, `/24` are valid; `/25`, `/28` are not) ### Path Parameters - `account_id: string` Cloudflare account ID ### Body Parameters - `name: string` A user-friendly name for the subnet. - `network: string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `comment: optional string` An optional description of the subnet. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Subnet` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets/warp \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "comment": "example comment" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Get WARP IP subnet **get** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Get a WARP IP assignment subnet. ### Path Parameters - `account_id: string` Cloudflare account ID - `subnet_id: string` The UUID of the subnet. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Subnet` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets/warp/$SUBNET_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Update WARP IP subnet **patch** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Updates a WARP IP assignment subnet. **Update constraints:** - The `network` field cannot be modified for WARP subnets. Only `name`, `comment`, and `is_default_network` can be updated. - IPv6 subnets cannot be updated ### Path Parameters - `account_id: string` Cloudflare account ID - `subnet_id: string` The UUID of the subnet. ### Body Parameters - `comment: optional string` An optional description of the subnet. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Subnet` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets/warp/$SUBNET_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comment": "example comment", "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Delete WARP IP subnet **delete** `/accounts/{account_id}/zerotrust/subnets/warp/{subnet_id}` Delete a WARP IP assignment subnet. This operation is idempotent - deleting an already-deleted or non-existent subnet will return success with a null result. ### Path Parameters - `account_id: string` Cloudflare account ID - `subnet_id: string` The UUID of the subnet. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: { id, comment, created_at, 5 more }` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets/warp/$SUBNET_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` ## Domain Types ### Subnet - `Subnet { id, comment, created_at, 5 more }` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` ### WARP Delete Response - `WARPDeleteResponse { id, comment, created_at, 5 more }` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` # Cloudflare Source ## Update Cloudflare Source Subnet **patch** `/accounts/{account_id}/zerotrust/subnets/cloudflare_source/{address_family}` Updates the Cloudflare Source subnet of the given address family ### Path Parameters - `account_id: string` Cloudflare account ID - `address_family: "v4" or "v6"` IP address family, either `v4` (IPv4) or `v6` (IPv6) - `"v4"` - `"v6"` ### Body Parameters - `comment: optional string` An optional description of the subnet. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: Subnet` - `id: optional string` The UUID of the subnet. - `comment: optional string` An optional description of the subnet. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `is_default_network: optional boolean` If `true`, this is the default subnet for the account. There can only be one default subnet per account. - `name: optional string` A user-friendly name for the subnet. - `network: optional string` The private IPv4 or IPv6 range defining the subnet, in CIDR notation. - `subnet_type: optional "cloudflare_source" or "warp"` The type of subnet. - `"cloudflare_source"` - `"warp"` - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/subnets/cloudflare_source/$ADDRESS_FAMILY \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comment": "example comment", "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "is_default_network": true, "name": "IPv4 Cloudflare Source IPs", "network": "100.64.0.0/12", "subnet_type": "cloudflare_source" }, "success": true } ``` # Hostname Routes ## List hostname routes **get** `/accounts/{account_id}/zerotrust/routes/hostname` Lists and filters hostname routes in an account. ### Path Parameters - `account_id: string` Cloudflare account ID ### Query Parameters - `id: optional string` The hostname route ID. - `comment: optional string` If set, only list hostname routes with the given comment. - `existed_at: optional string` If provided, include only resources that were created (and not deleted) before this time. URL encoded. - `hostname: optional string` If set, only list hostname routes that contain a substring of the given value, the filter is case-insensitive. - `is_deleted: optional boolean` If `true`, only return deleted hostname routes. If `false`, exclude deleted hostname routes. - `page: optional number` Page number of paginated results. - `per_page: optional number` Number of results to display. - `tunnel_id: optional string` If set, only list hostname routes that point to a specific tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: array of HostnameRoute` - `id: optional string` The hostname route ID. - `comment: optional string` An optional description of the hostname route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `success: true` Whether the API call was successful - `true` - `result_info: optional { count, page, per_page, total_count }` - `count: optional number` Total number of results for the requested service - `page: optional number` Current page within paginated list of results - `per_page: optional number` Number of results per page of results - `total_count: optional number` Total results available without any search parameters ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/routes/hostname \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": [ { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" } ], "success": true, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000 } } ``` ## Get hostname route **get** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Get a hostname route. ### Path Parameters - `account_id: string` Cloudflare account ID - `hostname_route_id: string` The hostname route ID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: HostnameRoute` - `id: optional string` The hostname route ID. - `comment: optional string` An optional description of the hostname route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/routes/hostname/$HOSTNAME_ROUTE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Create hostname route **post** `/accounts/{account_id}/zerotrust/routes/hostname` Create a hostname route. ### Path Parameters - `account_id: string` Cloudflare account ID ### Body Parameters - `comment: optional string` An optional description of the hostname route. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: HostnameRoute` - `id: optional string` The hostname route ID. - `comment: optional string` An optional description of the hostname route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/routes/hostname \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comment": "example comment", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Update hostname route **patch** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Updates a hostname route. ### Path Parameters - `account_id: string` Cloudflare account ID - `hostname_route_id: string` The hostname route ID. ### Body Parameters - `comment: optional string` An optional description of the hostname route. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: HostnameRoute` - `id: optional string` The hostname route ID. - `comment: optional string` An optional description of the hostname route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/routes/hostname/$HOSTNAME_ROUTE_ID \ -X PATCH \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "comment": "example comment", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Delete hostname route **delete** `/accounts/{account_id}/zerotrust/routes/hostname/{hostname_route_id}` Delete a hostname route. ### Path Parameters - `account_id: string` Cloudflare account ID - `hostname_route_id: string` The hostname route ID. ### Returns - `errors: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of ResponseInfo` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `result: HostnameRoute` - `id: optional string` The hostname route ID. - `comment: optional string` An optional description of the hostname route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. - `success: true` Whether the API call was successful - `true` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zerotrust/routes/hostname/$HOSTNAME_ROUTE_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "result": { "id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "comment": "example comment", "created_at": "2021-01-25T18:22:34.317854Z", "deleted_at": "2009-11-10T23:00:00.000000Z", "hostname": "office-1.local", "tunnel_id": "f70ff985-a4ef-4643-bbbc-4a0ed4fc8415", "tunnel_name": "api-tunnel" }, "success": true } ``` ## Domain Types ### Hostname Route - `HostnameRoute { id, comment, created_at, 4 more }` - `id: optional string` The hostname route ID. - `comment: optional string` An optional description of the hostname route. - `created_at: optional string` Timestamp of when the resource was created. - `deleted_at: optional string` Timestamp of when the resource was deleted. If `null`, the resource has not been deleted. - `hostname: optional string` The hostname of the route. - `tunnel_id: optional string` UUID of the tunnel. - `tunnel_name: optional string` A user-friendly name for a tunnel. # Risk Scoring ## Get risk event/score information for a specific user **get** `/accounts/{account_id}/zt_risk_scoring/{user_id}` Retrieves the detailed risk score breakdown for a specific user, including contributing factors. ### Path Parameters - `account_id: string` - `user_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { email, events, name, 2 more }` - `email: string` - `events: array of { id, name, risk_level, 2 more }` - `id: string` - `name: string` - `risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` - `timestamp: string` - `event_details: optional unknown` - `name: string` - `last_reset_time: optional string` - `risk_level: optional "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/$USER_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "email": "email", "events": [ { "id": "id", "name": "name", "risk_level": "low", "timestamp": "2019-12-27T18:11:19.117Z", "event_details": {} } ], "name": "name", "last_reset_time": "2019-12-27T18:11:19.117Z", "risk_level": "low" }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Clear the risk score for a particular user **post** `/accounts/{account_id}/zt_risk_scoring/{user_id}/reset` Resets risk scores for specified users, clearing their accumulated risk history. ### Path Parameters - `account_id: string` - `user_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/$USER_ID/reset \ -X POST \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Risk Scoring Get Response - `RiskScoringGetResponse { email, events, name, 2 more }` - `email: string` - `events: array of { id, name, risk_level, 2 more }` - `id: string` - `name: string` - `risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` - `timestamp: string` - `event_details: optional unknown` - `name: string` - `last_reset_time: optional string` - `risk_level: optional "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` ### Risk Scoring Reset Response - `RiskScoringResetResponse = unknown` # Behaviours ## Get all behaviors and associated configuration **get** `/accounts/{account_id}/zt_risk_scoring/behaviors` Retrieves configured risk score behaviors that define how user actions affect their overall risk score. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { behaviors }` - `behaviors: map[ { description, enabled, name, risk_level } ]` - `description: string` - `enabled: boolean` - `name: string` - `risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/behaviors \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "description": "description", "enabled": true, "name": "name", "risk_level": "low" } } } } ``` ## Update configuration for risk behaviors **put** `/accounts/{account_id}/zt_risk_scoring/behaviors` Updates risk score behavior configurations, defining weights and thresholds for risk calculation. ### Path Parameters - `account_id: string` ### Body Parameters - `behaviors: map[ { enabled, risk_level } ]` - `enabled: boolean` - `risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { behaviors }` - `behaviors: map[ { enabled, risk_level } ]` - `enabled: boolean` - `risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/behaviors \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "behaviors": { "foo": { "enabled": true, "risk_level": "low" } } }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "behaviors": { "foo": { "enabled": true, "risk_level": "low" } } } } ``` ## Domain Types ### Behaviour Get Response - `BehaviourGetResponse { behaviors }` - `behaviors: map[ { description, enabled, name, risk_level } ]` - `description: string` - `enabled: boolean` - `name: string` - `risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` ### Behaviour Update Response - `BehaviourUpdateResponse { behaviors }` - `behaviors: map[ { enabled, risk_level } ]` - `enabled: boolean` - `risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` # Summary ## Get risk score info for all users in the account **get** `/accounts/{account_id}/zt_risk_scoring/summary` Gets an aggregate summary of risk scores across the account, including distribution and trends. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { users }` - `users: array of { email, event_count, last_event, 3 more }` - `email: string` - `event_count: number` - `last_event: string` - `max_risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` - `name: string` - `user_id: string` - `result_info: optional { count, page, per_page, 2 more }` - `count: optional number` Total number of results for the requested service. - `page: optional number` Current page within paginated list of results. - `per_page: optional number` Number of results per page of results. - `total_count: optional number` Total results available without any search parameters. - `total_pages: optional number` The number of total pages in the entire result set. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/summary \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "users": [ { "email": "email", "event_count": 0, "last_event": "2019-12-27T18:11:19.117Z", "max_risk_level": "low", "name": "name", "user_id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e" } ] }, "result_info": { "count": 1, "page": 1, "per_page": 20, "total_count": 2000, "total_pages": 100 } } ``` ## Domain Types ### Summary Get Response - `SummaryGetResponse { users }` - `users: array of { email, event_count, last_event, 3 more }` - `email: string` - `event_count: number` - `last_event: string` - `max_risk_level: "low" or "medium" or "high"` - `"low"` - `"medium"` - `"high"` - `name: string` - `user_id: string` # Integrations ## List all risk score integrations for the account. **get** `/accounts/{account_id}/zt_risk_scoring/integrations` Lists all configured Zero Trust risk score integrations for the account. ### Path Parameters - `account_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional array of { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/integrations \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": [ { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } ] } ``` ## Get risk score integration by id. **get** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Get risk score integration by id. ### Path Parameters - `account_id: string` - `integration_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/integrations/$INTEGRATION_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Create new risk score integration. **post** `/accounts/{account_id}/zt_risk_scoring/integrations` Creates a new Zero Trust risk score integration, connecting external risk signals to Cloudflare's risk scoring system. ### Path Parameters - `account_id: string` ### Body Parameters - `integration_type: "Okta"` - `"Okta"` - `tenant_url: string` The base url of the tenant, e.g. "https://tenant.okta.com". - `reference_id: optional string` A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/integrations \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "integration_type": "Okta", "tenant_url": "https://example.com" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Update a risk score integration. **put** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Overwrite the reference_id, tenant_url, and active values with the ones provided. ### Path Parameters - `account_id: string` - `integration_id: string` ### Body Parameters - `active: boolean` Whether this integration is enabled. If disabled, no risk changes will be exported to the third-party. - `tenant_url: string` The base url of the tenant, e.g. "https://tenant.okta.com". - `reference_id: optional string` A reference id that can be supplied by the client. Currently this should be set to the Access-Okta IDP ID (a UUIDv4). https://developers.cloudflare.com/api/operations/access-identity-providers-get-an-access-identity-provider ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/integrations/$INTEGRATION_ID \ -X PUT \ -H 'Content-Type: application/json' \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ -d '{ "active": true, "tenant_url": "https://example.com" }' ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Delete a risk score integration. **delete** `/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}` Removes a Zero Trust risk score integration, disconnecting the external risk signal source. ### Path Parameters - `account_id: string` - `integration_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional unknown` ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/integrations/$INTEGRATION_ID \ -X DELETE \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": {} } ``` ## Domain Types ### Integration List Response - `IntegrationListResponse { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Get Response - `IntegrationGetResponse { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Create Response - `IntegrationCreateResponse { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Update Response - `IntegrationUpdateResponse { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Integration Delete Response - `IntegrationDeleteResponse = unknown` # References ## Get risk score integration by reference id. **get** `/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}` Retrieves a Zero Trust risk score integration using its external reference ID. ### Path Parameters - `account_id: string` - `reference_id: string` ### Returns - `errors: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `messages: array of { code, message, documentation_url, source }` - `code: number` - `message: string` - `documentation_url: optional string` - `source: optional { pointer }` - `pointer: optional string` - `success: true` Whether the API call was successful. - `true` - `result: optional { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1. ### Example ```http curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/zt_risk_scoring/integrations/reference_id/$REFERENCE_ID \ -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" ``` #### Response ```json { "errors": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "messages": [ { "code": 1000, "message": "message", "documentation_url": "documentation_url", "source": { "pointer": "pointer" } } ], "success": true, "result": { "id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e", "account_tag": "account_tag", "active": true, "created_at": "2019-12-27T18:11:19.117Z", "integration_type": "Okta", "reference_id": "reference_id", "tenant_url": "tenant_url", "well_known_url": "well_known_url" } } ``` ## Domain Types ### Reference Get Response - `ReferenceGetResponse { id, account_tag, active, 5 more }` - `id: string` The id of the integration, a UUIDv4. - `account_tag: string` The Cloudflare account tag. - `active: boolean` Whether this integration is enabled and should export changes in risk score. - `created_at: string` When the integration was created in RFC3339 format. - `integration_type: "Okta"` - `"Okta"` - `reference_id: string` A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID. - `tenant_url: string` The base URL for the tenant. E.g. "https://tenant.okta.com". - `well_known_url: string` The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.