# Access
# AI Controls
# Mcp
# Portals
## List MCP Portals
**get** `/accounts/{account_id}/access/ai-controls/mcp/portals`
Lists all MCP portals configured for the account.
### Path Parameters
- `account_id: string`
### Query Parameters
- `page: optional number`
- `per_page: optional number`
- `search: optional string`
Search by id, name, hostname
### Returns
- `result: array of { id, hostname, name, 8 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `servers: array of { id, auth_type, hostname, 16 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `updated_prompts: array of map[number or string]`
- `number`
- `string`
- `updated_tools: array of map[number or string]`
- `number`
- `string`
- `created_at: optional string`
- `created_by: optional string`
- `default_disabled: optional boolean`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `on_behalf: optional boolean`
- `status: optional string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": [
{
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"servers": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"updated_prompts": [
{
"foo": 0
}
],
"updated_tools": [
{
"foo": 0
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"default_disabled": true,
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"on_behalf": true,
"status": "status"
}
],
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
}
],
"success": true
}
```
## Create a new MCP Portal
**post** `/accounts/{account_id}/access/ai-controls/mcp/portals`
Creates a new MCP portal for managing AI tool access through Cloudflare Access.
### Path Parameters
- `account_id: string`
### Body Parameters
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `description: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `servers: optional array of { server_id, default_disabled, on_behalf, 2 more }`
- `server_id: string`
server id
- `default_disabled: optional boolean`
- `on_behalf: optional boolean`
- `updated_prompts: optional array of { name, alias, description, enabled }`
- `name: string`
- `alias: optional string`
- `description: optional string`
- `enabled: optional boolean`
- `updated_tools: optional array of { name, alias, description, enabled }`
- `name: string`
- `alias: optional string`
- `description: optional string`
- `enabled: optional boolean`
### Returns
- `result: { id, hostname, name, 7 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"description": "This is my custom MCP Portal"
}'
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Read details of an MCP Portal
**get** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Read details of an MCP Portal
### Path Parameters
- `account_id: string`
- `id: string`
portal id
### Returns
- `result: { id, hostname, name, 8 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `servers: array of { id, auth_type, hostname, 16 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `updated_prompts: array of map[number or string]`
- `number`
- `string`
- `updated_tools: array of map[number or string]`
- `number`
- `string`
- `created_at: optional string`
- `created_by: optional string`
- `default_disabled: optional boolean`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `on_behalf: optional boolean`
- `status: optional string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"servers": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"updated_prompts": [
{
"foo": 0
}
],
"updated_tools": [
{
"foo": 0
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"default_disabled": true,
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"on_behalf": true,
"status": "status"
}
],
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Update a MCP Portal
**put** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Updates an MCP portal configuration.
### Path Parameters
- `account_id: string`
- `id: string`
portal id
### Body Parameters
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `description: optional string`
- `hostname: optional string`
- `name: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `servers: optional array of { server_id, default_disabled, on_behalf, 2 more }`
- `server_id: string`
server id
- `default_disabled: optional boolean`
- `on_behalf: optional boolean`
- `updated_prompts: optional array of { name, alias, description, enabled }`
- `name: string`
- `alias: optional string`
- `description: optional string`
- `enabled: optional boolean`
- `updated_tools: optional array of { name, alias, description, enabled }`
- `name: string`
- `alias: optional string`
- `description: optional string`
- `enabled: optional boolean`
### Returns
- `result: { id, hostname, name, 7 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID \
-X PUT \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Delete a MCP Portal
**delete** `/accounts/{account_id}/access/ai-controls/mcp/portals/{id}`
Deletes an MCP portal from the account.
### Path Parameters
- `account_id: string`
- `id: string`
portal id
### Returns
- `result: { id, hostname, name, 7 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/portals/$ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {
"id": "my-mcp-portal",
"hostname": "exmaple.com",
"name": "My MCP Portal",
"allow_code_mode": true,
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is my custom MCP Portal",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"secure_web_gateway": false
},
"success": true
}
```
## Domain Types
### Portal List Response
- `PortalListResponse { id, hostname, name, 8 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `servers: array of { id, auth_type, hostname, 16 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `updated_prompts: array of map[number or string]`
- `number`
- `string`
- `updated_tools: array of map[number or string]`
- `number`
- `string`
- `created_at: optional string`
- `created_by: optional string`
- `default_disabled: optional boolean`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `on_behalf: optional boolean`
- `status: optional string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Create Response
- `PortalCreateResponse { id, hostname, name, 7 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Read Response
- `PortalReadResponse { id, hostname, name, 8 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `servers: array of { id, auth_type, hostname, 16 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `updated_prompts: array of map[number or string]`
- `number`
- `string`
- `updated_tools: array of map[number or string]`
- `number`
- `string`
- `created_at: optional string`
- `created_by: optional string`
- `default_disabled: optional boolean`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `on_behalf: optional boolean`
- `status: optional string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Update Response
- `PortalUpdateResponse { id, hostname, name, 7 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
### Portal Delete Response
- `PortalDeleteResponse { id, hostname, name, 7 more }`
- `id: string`
portal id
- `hostname: string`
- `name: string`
- `allow_code_mode: optional boolean`
Allow remote code execution in Dynamic Workers (beta)
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `secure_web_gateway: optional boolean`
Route outbound MCP traffic through Zero Trust Secure Web Gateway
# Servers
## List MCP Servers
**get** `/accounts/{account_id}/access/ai-controls/mcp/servers`
Lists all MCP portals configured for the account.
### Path Parameters
- `account_id: string`
### Query Parameters
- `page: optional number`
- `per_page: optional number`
- `search: optional string`
Search by id, name
### Returns
- `result: array of { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": [
{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
}
],
"success": true
}
```
## Create a new MCP Server
**post** `/accounts/{account_id}/access/ai-controls/mcp/servers`
Creates a new MCP portal for managing AI tool access through Cloudflare Access.
### Path Parameters
- `account_id: string`
### Body Parameters
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `auth_credentials: optional string`
- `description: optional string`
### Returns
- `result: { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"description": "This is one remote mcp server"
}'
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Read the details of a MCP Server
**get** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Retrieves gateway configuration for MCP portals.
### Path Parameters
- `account_id: string`
- `id: string`
server id
### Returns
- `result: { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Update a MCP Server
**put** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Updates an MCP portal configuration.
### Path Parameters
- `account_id: string`
- `id: string`
server id
### Body Parameters
- `auth_credentials: optional string`
- `description: optional string`
- `name: optional string`
### Returns
- `result: { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID \
-X PUT \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Delete a MCP Server
**delete** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}`
Deletes an MCP portal from the account.
### Path Parameters
- `account_id: string`
- `id: string`
server id
### Returns
- `result: { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {
"id": "my-mcp-server",
"auth_type": "unauthenticated",
"hostname": "https://example.com/mcp",
"name": "My MCP Server",
"prompts": [
{
"foo": "bar"
}
],
"tools": [
{
"foo": "bar"
}
],
"created_at": "2019-12-27T18:11:19.117Z",
"created_by": "created_by",
"description": "This is one remote mcp server",
"error": "error",
"last_successful_sync": "2019-12-27T18:11:19.117Z",
"last_synced": "2019-12-27T18:11:19.117Z",
"modified_at": "2019-12-27T18:11:19.117Z",
"modified_by": "modified_by",
"status": "status"
},
"success": true
}
```
## Sync MCP Server Capabilities
**post** `/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync`
Syncs an MCP server's tool catalog with the portal.
### Path Parameters
- `account_id: string`
- `id: string`
portal id
### Returns
- `result: unknown`
- `success: boolean`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/ai-controls/mcp/servers/$ID/sync \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {},
"success": true
}
```
## Domain Types
### Server List Response
- `ServerListResponse { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
### Server Create Response
- `ServerCreateResponse { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
### Server Read Response
- `ServerReadResponse { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
### Server Update Response
- `ServerUpdateResponse { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
### Server Delete Response
- `ServerDeleteResponse { id, auth_type, hostname, 12 more }`
- `id: string`
server id
- `auth_type: "oauth" or "bearer" or "unauthenticated"`
- `"oauth"`
- `"bearer"`
- `"unauthenticated"`
- `hostname: string`
- `name: string`
- `prompts: array of map[unknown]`
- `tools: array of map[unknown]`
- `created_at: optional string`
- `created_by: optional string`
- `description: optional string`
- `error: optional string`
- `last_successful_sync: optional string`
- `last_synced: optional string`
- `modified_at: optional string`
- `modified_by: optional string`
- `status: optional string`
### Server Sync Response
- `ServerSyncResponse = unknown`
# Gateway CA
## List SSH Certificate Authorities (CA)
**get** `/accounts/{account_id}/access/gateway_ca`
Lists SSH Certificate Authorities (CA).
### Path Parameters
- `account_id: string`
Identifier.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, public_key }`
- `id: optional string`
The key ID of this certificate.
- `public_key: optional string`
The public key of this certificate.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"public_key": "public_key"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Add a new SSH Certificate Authority (CA)
**post** `/accounts/{account_id}/access/gateway_ca`
Adds a new SSH Certificate Authority (CA).
### Path Parameters
- `account_id: string`
Identifier.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, public_key }`
- `id: optional string`
The key ID of this certificate.
- `public_key: optional string`
The public key of this certificate.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"public_key": "public_key"
}
}
```
## Delete an SSH Certificate Authority (CA)
**delete** `/accounts/{account_id}/access/gateway_ca/{certificate_id}`
Deletes an SSH Certificate Authority.
### Path Parameters
- `account_id: string`
Identifier.
- `certificate_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/gateway_ca/$CERTIFICATE_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Gateway CA List Response
- `GatewayCAListResponse { id, public_key }`
- `id: optional string`
The key ID of this certificate.
- `public_key: optional string`
The public key of this certificate.
### Gateway CA Create Response
- `GatewayCACreateResponse { id, public_key }`
- `id: optional string`
The key ID of this certificate.
- `public_key: optional string`
The public key of this certificate.
### Gateway CA Delete Response
- `GatewayCADeleteResponse { id }`
- `id: optional string`
UUID.
# Infrastructure
# Targets
## List all targets
**get** `/accounts/{account_id}/infrastructure/targets`
Lists and sorts an account’s targets. Filters are optional and are ANDed
together.
### Path Parameters
- `account_id: string`
Account identifier
### Query Parameters
- `created_after: optional string`
Date and time at which the target was created after (inclusive)
- `created_before: optional string`
Date and time at which the target was created before (inclusive)
- `direction: optional "asc" or "desc"`
The sorting direction.
- `"asc"`
- `"desc"`
- `hostname: optional string`
Hostname of a target
- `hostname_contains: optional string`
Partial match to the hostname of a target
- `ip_like: optional string`
Filters for targets whose IP addresses look like the specified string.
Supports `*` as a wildcard character
- `ip_v4: optional string`
IPv4 address of the target
- `ip_v6: optional string`
IPv6 address of the target
- `ips: optional array of string`
Filters for targets that have any of the following IP addresses. Specify
`ips` multiple times in query parameter to build list of candidates.
- `ipv4_end: optional string`
Defines an IPv4 filter range's ending value (inclusive). Requires
`ipv4_start` to be specified as well.
- `ipv4_start: optional string`
Defines an IPv4 filter range's starting value (inclusive). Requires
`ipv4_end` to be specified as well.
- `ipv6_end: optional string`
Defines an IPv6 filter range's ending value (inclusive). Requires
`ipv6_start` to be specified as well.
- `ipv6_start: optional string`
Defines an IPv6 filter range's starting value (inclusive). Requires
`ipv6_end` to be specified as well.
- `modified_after: optional string`
Date and time at which the target was modified after (inclusive)
- `modified_before: optional string`
Date and time at which the target was modified before (inclusive)
- `order: optional "hostname" or "created_at"`
The field to sort by.
- `"hostname"`
- `"created_at"`
- `page: optional number`
Current page in the response
- `per_page: optional number`
Max amount of entries returned per page
- `target_ids: optional array of string`
Filters for targets that have any of the following UUIDs. Specify
`target_ids` multiple times in query parameter to build list of
candidates.
- `virtual_network_id: optional string`
Private virtual network identifier of the target
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get target
**get** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Get target
### Path Parameters
- `account_id: string`
Account identifier
- `target_id: string`
Target identifier
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/$TARGET_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Create new target
**post** `/accounts/{account_id}/infrastructure/targets`
Create new target
### Path Parameters
- `account_id: string`
Account identifier
### Body Parameters
- `hostname: string`
A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"hostname": "infra-access-target",
"ip": {}
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Update target
**put** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Update target
### Path Parameters
- `account_id: string`
Account identifier
- `target_id: string`
Target identifier
### Body Parameters
- `hostname: string`
A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/$TARGET_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"hostname": "infra-access-target",
"ip": {}
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
}
```
## Delete target
**delete** `/accounts/{account_id}/infrastructure/targets/{target_id}`
Delete target
### Path Parameters
- `account_id: string`
Account identifier
- `target_id: string`
Target identifier
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/$TARGET_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
## Create new targets
**put** `/accounts/{account_id}/infrastructure/targets/batch`
Adds one or more targets.
### Path Parameters
- `account_id: string`
Account identifier
### Body Parameters
- `body: array of { hostname, ip }`
- `hostname: string`
A non-unique field that refers to a target. Case insensitive, maximum
length of 255 characters, supports the use of special characters dash
and period, does not support spaces, and must start and end with an
alphanumeric character.
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/batch \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '[
{
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
}
}
]'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e",
"created_at": "2019-08-24T14:15:22Z",
"hostname": "infra-access-target",
"ip": {
"ipv4": {
"ip_addr": "187.26.29.249",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
},
"ipv6": {
"ip_addr": "64c0:64e8:f0b4:8dbf:7104:72b0:ec8f:f5e0",
"virtual_network_id": "c77b744e-acc8-428f-9257-6878c046ed55"
}
},
"modified_at": "2019-08-24T14:15:22Z"
}
]
}
```
## Delete targets (Deprecated)
**delete** `/accounts/{account_id}/infrastructure/targets/batch`
Removes one or more targets.
### Path Parameters
- `account_id: string`
Account identifier
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/batch \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
## Delete targets
**post** `/accounts/{account_id}/infrastructure/targets/batch_delete`
Removes one or more targets.
### Path Parameters
- `account_id: string`
Account identifier
### Body Parameters
- `target_ids: array of string`
List of target IDs to bulk delete
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/infrastructure/targets/batch_delete \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"target_ids": [
"182bd5e5-6e1a-4fe4-a799-aa6d9a6ab26e"
]
}'
```
## Domain Types
### Target List Response
- `TargetListResponse { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Target Get Response
- `TargetGetResponse { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Target Create Response
- `TargetCreateResponse { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Target Update Response
- `TargetUpdateResponse { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
### Target Bulk Update Response
- `TargetBulkUpdateResponse { id, created_at, hostname, 2 more }`
- `id: string`
Target identifier
- `created_at: string`
Date and time at which the target was created
- `hostname: string`
A non-unique field that refers to a target
- `ip: { ipv4, ipv6 }`
The IPv4/IPv6 address that identifies where to reach a target
- `ipv4: optional { ip_addr, virtual_network_id }`
The target's IPv4 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `ipv6: optional { ip_addr, virtual_network_id }`
The target's IPv6 address
- `ip_addr: optional string`
IP address of the target
- `virtual_network_id: optional string`
(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.
- `modified_at: string`
Date and time at which the target was modified
# Applications
## List Access applications
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps`
Lists all Access applications in an account or zone.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Query Parameters
- `aud: optional string`
The aud of the app.
- `domain: optional string`
The domain of the app.
- `exact: optional boolean`
True for only exact string matches against passed name/domain query parameters.
- `name: optional string`
The name of the app.
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
- `search: optional string`
Search for apps by other listed query parameters.
- `target_attributes: optional string`
Target Criteria attributes in key=value format.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access application
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Fetches information about an Access application.
### Path Parameters
- `app_id: AppID`
Identifier.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Add an Access application
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps`
Adds a new application to Access.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `body: { domain, type, allow_authenticate_via_warp, 28 more } or { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more } or { domain, type, allow_authenticate_via_warp, 28 more } or 10 more`
Contains the targets secured by the application.
- `SelfHostedApplication { domain, type, allow_authenticate_via_warp, 28 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more }`
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, allow_authenticate_via_warp, 28 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, allow_authenticate_via_warp, 28 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, allowed_idps, app_launcher_logo_url, 13 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }`
- `type: ApplicationType`
The application type.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }`
- `type: ApplicationType`
The application type.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }`
- `type: ApplicationType`
The application type.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { app_launcher_visible, domain, logo_url, 4 more }`
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, name, policies }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `name: optional string`
The name of the application.
- `policies: optional array of { decision, include, name, 3 more }`
The policies that Access applies to the application.
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: string`
The name of the Access policy.
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `BrowserRDPApplication { domain, target_criteria, type, 29 more }`
Contains the targets secured by the application.
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, allow_authenticate_via_warp, allowed_idps, 16 more }`
- `type: ApplicationType`
The application type.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, allow_authenticate_via_warp, allowed_idps, 17 more }`
- `type: ApplicationType`
The application type.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"domain": "test.example.com/admin",
"type": "self_hosted",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"app_launcher_visible": true,
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"port_range": "80-90",
"type": "private"
},
{
"cidr": "10.5.0.3/32",
"port_range": "80",
"type": "private"
},
{
"hostname": "private-sni.example.com",
"type": "private"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "Admin Site",
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Update an Access application
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Updates an Access application.
### Path Parameters
- `app_id: AppID`
Identifier.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `body: { domain, type, allow_authenticate_via_warp, 28 more } or { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more } or { domain, type, allow_authenticate_via_warp, 28 more } or 10 more`
Contains the targets secured by the application.
- `SelfHostedApplication { domain, type, allow_authenticate_via_warp, 28 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more }`
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, allow_authenticate_via_warp, 28 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, allow_authenticate_via_warp, 28 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, allowed_idps, app_launcher_logo_url, 13 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }`
- `type: ApplicationType`
The application type.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }`
- `type: ApplicationType`
The application type.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, allowed_idps, auto_redirect_to_identity, 7 more }`
- `type: ApplicationType`
The application type.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { app_launcher_visible, domain, logo_url, 4 more }`
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, name, policies }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `name: optional string`
The name of the application.
- `policies: optional array of { decision, include, name, 3 more }`
The policies that Access applies to the application.
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: string`
The name of the Access policy.
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `BrowserRDPApplication { domain, target_criteria, type, 29 more }`
Contains the targets secured by the application.
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, allow_authenticate_via_warp, allowed_idps, 16 more }`
- `type: ApplicationType`
The application type.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, allow_authenticate_via_warp, allowed_idps, 17 more }`
- `type: ApplicationType`
The application type.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, precedence } or string or { id, approval_groups, approval_required, 7 more }`
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
- `AccessAppPolicyLink { id, precedence }`
A JSON that links a reusable policy to an application.
- `id: optional string`
The UUID of the policy
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `AccessSchemasUUID = string`
The UUID of the policy
- `{ id, approval_groups, approval_required, 7 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"domain": "test.example.com/admin",
"type": "self_hosted",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"app_launcher_visible": true,
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"port_range": "80-90",
"type": "private"
},
{
"cidr": "10.5.0.3/32",
"port_range": "80",
"type": "private"
},
{
"hostname": "private-sni.example.com",
"type": "private"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "Admin Site",
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}
```
## Delete an Access application
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}`
Deletes an application from Access.
### Path Parameters
- `app_id: AppID`
Identifier.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Revoke application tokens
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens`
Revokes all tokens issued for an application.
### Path Parameters
- `app_id: AppID`
Identifier.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `result: optional unknown`
- `success: optional true or false`
- `true`
- `false`
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/revoke_tokens \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"result": {},
"success": true
}
```
## Domain Types
### Allowed Headers
- `AllowedHeaders = string`
### Allowed IdPs
- `AllowedIdPs = string`
The identity providers selected for application.
### Allowed Methods
- `AllowedMethods = "GET" or "POST" or "HEAD" or 6 more`
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
### Allowed Origins
- `AllowedOrigins = string`
### App ID
- `AppID = string`
Identifier.
### Application
- `Application = { domain, type, id, 21 more } or { id, allowed_idps, app_launcher_visible, 9 more } or { domain, type, id, 21 more } or 5 more`
- `SelfHostedApplication { domain, type, id, 21 more }`
- `domain: string`
The domain and path that Access will secure.
- `type: string`
The application type.
- `id: optional string`
UUID.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of unknown`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of unknown`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `created_at: optional string`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application.
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSchemasSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `updated_at: optional string`
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 9 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: optional string`
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `saas_app: optional { auth_type, consumer_service_url, created_at, 8 more } or { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 13 more }`
- `AccessSchemasSAMLSaaSApp { auth_type, consumer_service_url, created_at, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `created_at: optional string`
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to attribute name.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `updated_at: optional string`
- `AccessSchemasOIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 13 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `created_at: optional string`
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `updated_at: optional string`
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `type: optional string`
The application type.
- `updated_at: optional string`
- `BrowserSSHApplication { domain, type, id, 21 more }`
- `domain: string`
The domain and path that Access will secure.
- `type: string`
The application type.
- `id: optional string`
UUID.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of unknown`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of unknown`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `created_at: optional string`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application.
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `updated_at: optional string`
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 21 more }`
- `domain: string`
The domain and path that Access will secure.
- `type: string`
The application type.
- `id: optional string`
UUID.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of unknown`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of unknown`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `created_at: optional string`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application.
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `updated_at: optional string`
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 8 more }`
- `type: "self_hosted" or "saas" or "ssh" or 6 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: optional string`
- `domain: optional string`
The domain and path that Access will secure.
- `name: optional string`
The name of the application.
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 8 more }`
- `type: "self_hosted" or "saas" or "ssh" or 6 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: optional string`
- `domain: optional string`
The domain and path that Access will secure.
- `name: optional string`
The name of the application.
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 8 more }`
- `type: "self_hosted" or "saas" or "ssh" or 6 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `created_at: optional string`
- `domain: optional string`
The domain and path that Access will secure.
- `name: optional string`
The name of the application.
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `BookmarkApplication { domain, type, id, 7 more }`
- `domain: string`
The URL or domain of the bookmark.
- `type: string`
The application type.
- `id: optional string`
UUID.
- `app_launcher_visible: optional unknown`
- `aud: optional string`
Audience tag.
- `created_at: optional string`
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `scim_config: optional ApplicationSCIMConfig`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `updated_at: optional string`
### Application Policy
- `ApplicationPolicy { id, approval_groups, approval_required, 13 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Application SCIM Config
- `ApplicationSCIMConfig { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSchemasSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or { token, scheme } or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set `active` to false on the SCIM resource. This is useful because some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
### Application Type
- `ApplicationType = "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
### CORS Headers
- `CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
### Decision
- `Decision = "allow" or "deny" or "non_identity" or "bypass"`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
### OIDC SaaS App
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
### SaaS App Name ID Format
- `SaaSAppNameIDFormat = "id" or "email"`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
### SAML SaaS App
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
### SCIM Config Authentication HTTP Basic
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
### SCIM Config Authentication OAuth Bearer Token
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
### SCIM Config Authentication Oauth2
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
### SCIM Config Mapping
- `SCIMConfigMapping { schema, enabled, filter, 3 more }`
Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
### Self Hosted Domains
- `SelfHostedDomains = string`
A domain that Access will secure.
### Application List Response
- `ApplicationListResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Get Response
- `ApplicationGetResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Create Response
- `ApplicationCreateResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Update Response
- `ApplicationUpdateResponse = { domain, type, id, 30 more } or { id, allowed_idps, app_launcher_visible, 10 more } or { domain, type, id, 30 more } or 10 more`
- `SelfHostedApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: ApplicationType`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `allow_all_headers: optional boolean`
Allows all HTTP request headers.
- `allow_all_methods: optional boolean`
Allows all HTTP request methods.
- `allow_all_origins: optional boolean`
Allows all origins.
- `allow_credentials: optional boolean`
When set to `true`, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.
- `allowed_headers: optional array of AllowedHeaders`
Allowed HTTP request headers.
- `allowed_methods: optional array of AllowedMethods`
Allowed HTTP request methods.
- `"GET"`
- `"POST"`
- `"HEAD"`
- `"PUT"`
- `"DELETE"`
- `"CONNECT"`
- `"OPTIONS"`
- `"TRACE"`
- `"PATCH"`
- `allowed_origins: optional array of AllowedOrigins`
Allowed origins.
- `max_age: optional number`
The maximum number of seconds the results of a preflight request can be cached.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `password: string`
Password used to authenticate with the remote SCIM service.
- `scheme: "httpbasic"`
The authentication scheme to use when making SCIM requests to this application.
- `"httpbasic"`
- `user: string`
User name used to authenticate with the remote SCIM service.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `token: string`
Token used to authenticate with the remote SCIM service.
- `scheme: "oauthbearertoken"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauthbearertoken"`
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `authorization_url: string`
URL used to generate the auth code used during token generation.
- `client_id: string`
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
- `client_secret: string`
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
- `scheme: "oauth2"`
The authentication scheme to use when making SCIM requests to this application.
- `"oauth2"`
- `token_url: string`
URL used to generate the token used to authenticate with the remote SCIM service.
- `scopes: optional array of string`
The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `create: optional boolean`
Whether or not this mapping applies to create (POST) operations.
- `delete: optional boolean`
Whether or not this mapping applies to DELETE operations.
- `update: optional boolean`
Whether or not this mapping applies to update (PATCH/PUT) operations.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `"strict"`
- `"passthrough"`
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `SaaSApplication { id, allowed_idps, app_launcher_visible, 10 more }`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `saas_app: optional SAMLSaaSApp or OIDCSaaSApp`
- `SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more }`
- `auth_type: optional "saml" or "oidc"`
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
- `"saml"`
- `"oidc"`
- `consumer_service_url: optional string`
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
- `custom_attributes: optional array of { friendly_name, name, name_format, 2 more }`
- `friendly_name: optional string`
The SAML FriendlyName of the attribute.
- `name: optional string`
The name of the attribute.
- `name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
A globally unique name for an identity or service provider.
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"`
- `"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"`
- `required: optional boolean`
If the attribute is required when building a SAML assertion.
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP attribute.
- `name_by_idp: optional array of { idp_id, source_name }`
A mapping from IdP ID to attribute name.
- `idp_id: optional string`
The UID of the IdP.
- `source_name: optional string`
The name of the IdP provided attribute.
- `default_relay_state: optional string`
The URL that the user will be redirected to after a successful login for IDP initiated logins.
- `idp_entity_id: optional string`
The unique identifier for your SaaS application.
- `name_id_format: optional SaaSAppNameIDFormat`
The format of the name identifier sent to the SaaS application.
- `"id"`
- `"email"`
- `name_id_transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the `name_id_format` setting.
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `saml_attribute_transform_jsonata: optional string`
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
- `sp_entity_id: optional string`
A globally unique name for an identity or service provider.
- `sso_endpoint: optional string`
The endpoint where your SaaS application will send login requests.
- `OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }`
- `access_token_lifetime: optional string`
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
- `allow_pkce_without_client_secret: optional boolean`
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
- `app_launcher_url: optional string`
The URL where this applications tile redirects users
- `auth_type: optional "saml" or "oidc"`
Identifier of the authentication protocol used for the saas app. Required for OIDC.
- `"saml"`
- `"oidc"`
- `client_id: optional string`
The application client id
- `client_secret: optional string`
The application client secret, only returned on POST request.
- `custom_claims: optional array of { name, required, scope, source }`
- `name: optional string`
The name of the claim.
- `required: optional boolean`
If the claim is required when building an OIDC token.
- `scope: optional "groups" or "profile" or "email" or "openid"`
The scope of the claim.
- `"groups"`
- `"profile"`
- `"email"`
- `"openid"`
- `source: optional { name, name_by_idp }`
- `name: optional string`
The name of the IdP claim.
- `name_by_idp: optional map[string]`
A mapping from IdP ID to claim name.
- `grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 more`
The OIDC flows supported by this application
- `"authorization_code"`
- `"authorization_code_with_pkce"`
- `"refresh_tokens"`
- `"hybrid"`
- `"implicit"`
- `group_filter_regex: optional string`
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
- `hybrid_and_implicit_options: optional { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }`
- `return_access_token_from_authorization_endpoint: optional boolean`
If an Access Token should be returned from the OIDC Authorization endpoint
- `return_id_token_from_authorization_endpoint: optional boolean`
If an ID Token should be returned from the OIDC Authorization endpoint
- `public_key: optional string`
The Access public certificate that will be used to verify your identity.
- `redirect_uris: optional array of string`
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
- `refresh_token_options: optional { lifetime }`
- `lifetime: optional string`
How long a refresh token will be valid for after creation. Valid units are m,h,d. Must be longer than 1m.
- `scopes: optional array of "openid" or "groups" or "email" or "profile"`
Define the user information shared with access, "offline_access" scope will be automatically enabled if refresh tokens are enabled
- `"openid"`
- `"groups"`
- `"email"`
- `"profile"`
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `BrowserSSHApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `BrowserVNCApplication { domain, type, id, 30 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `AppLauncherApplication { type, id, allowed_idps, 15 more }`
- `type: "self_hosted" or "saas" or "ssh" or 11 more`
The application type.
- `"self_hosted"`
- `"saas"`
- `"ssh"`
- `"vnc"`
- `"app_launcher"`
- `"warp"`
- `"biso"`
- `"bookmark"`
- `"dash_sso"`
- `"infrastructure"`
- `"rdp"`
- `"mcp"`
- `"mcp_portal"`
- `"proxy_endpoint"`
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_logo_url: optional string`
The image URL of the logo shown in the App Launcher header.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `bg_color: optional string`
The background color of the App Launcher page.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `footer_links: optional array of { name, url }`
The links in the App Launcher footer.
- `name: string`
The hypertext in the footer link.
- `url: string`
the hyperlink in the footer link.
- `header_bg_color: optional string`
The background color of the App Launcher header.
- `landing_page_design: optional { button_color, button_text_color, image_url, 2 more }`
The design of the App Launcher landing page shown to users when they log in.
- `button_color: optional string`
The background color of the log in button on the landing page.
- `button_text_color: optional string`
The color of the text in the log in button on the landing page.
- `image_url: optional string`
The URL of the image shown on the landing page.
- `message: optional string`
The message shown on the landing page.
- `title: optional string`
The title shown on the landing page.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_app_launcher_login_page: optional boolean`
Determines when to skip the App Launcher landing page.
- `DeviceEnrollmentPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BrowserIsolationPermissionsApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `GatewayIdentityProxyEndpointApplication { type, id, allowed_idps, 9 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `domain: optional string`
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `BookmarkApplication { id, app_launcher_visible, aud, 6 more }`
- `id: optional string`
UUID.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `domain: optional string`
The URL or domain of the bookmark.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `type: optional ApplicationType`
The application type.
- `InfrastructureApplication { target_criteria, type, id, 3 more }`
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "SSH"`
The communication protocol your application secures.
- `"SSH"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `aud: optional string`
Audience tag.
- `name: optional string`
The name of the application.
- `policies: optional array of { id, connection_rules, created_at, 6 more }`
- `id: optional string`
The UUID of the policy
- `connection_rules: optional { ssh }`
The rules that define how users may connect to the targets secured by your application.
- `ssh: optional { usernames, allow_email_alias }`
The SSH-specific rules that define how users may connect to the targets secured by your application.
- `usernames: array of string`
Contains the Unix usernames that may be used when connecting over SSH.
- `allow_email_alias: optional boolean`
Enables using Identity Provider email alias as SSH username.
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access policy.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
- `BrowserRDPApplication { domain, target_criteria, type, 31 more }`
- `domain: string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `target_criteria: array of { port, protocol, target_attributes }`
- `port: number`
The port that the targets use for the chosen communication protocol. A port cannot be assigned to multiple protocols.
- `protocol: "RDP"`
The communication protocol your application secures.
- `"RDP"`
- `target_attributes: map[array of string]`
Contains a map of target attribute keys to target attribute values.
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `cors_headers: optional CORSHeaders`
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `enable_binding_cookie: optional boolean`
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `path_cookie_attribute: optional boolean`
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `read_service_tokens_from_header: optional string`
Allows matching Access Service Tokens passed HTTP in a single header with this name.
This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.
The header value will be interpreted as a json object similar to:
{
"cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"
}
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `self_hosted_domains: optional array of SelfHostedDomains`
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `service_auth_401_redirect: optional boolean`
Returns a 401 status code when the request is blocked by a Service Auth policy.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `use_clientless_isolation_app_launcher_url: optional boolean`
Determines if users can access this application via a clientless browser isolation URL.
This allows users to access private domains without connecting to Gateway. The option requires
Clientless Browser Isolation to be set up with policies that allow users of this application.
- `McpServerApplication { type, id, allow_authenticate_via_warp, 18 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
- `McpServerPortalApplication { type, id, allow_authenticate_via_warp, 19 more }`
- `type: ApplicationType`
The application type.
- `id: optional string`
UUID.
- `allow_authenticate_via_warp: optional boolean`
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- `allowed_idps: optional array of AllowedIdPs`
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- `aud: optional string`
Audience tag.
- `auto_redirect_to_identity: optional boolean`
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
- `custom_deny_message: optional string`
The custom error message shown to a user when they are denied access to the application.
- `custom_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- `custom_non_identity_deny_url: optional string`
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- `custom_pages: optional array of string`
The custom pages that will be displayed when applicable for this application
- `destinations: optional array of { type, uri } or { cidr, hostname, l4_protocol, 3 more } or { mcp_server_id, type }`
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
- `PublicDestination { type, uri }`
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
- `type: optional "public"`
- `"public"`
- `uri: optional string`
The URI of the destination. Public destinations' URIs can include a domain and path with [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
- `PrivateDestination { cidr, hostname, l4_protocol, 3 more }`
- `cidr: optional string`
The CIDR range of the destination. Single IPs will be computed as /32.
- `hostname: optional string`
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
- `l4_protocol: optional "tcp" or "udp"`
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
- `"tcp"`
- `"udp"`
- `port_range: optional string`
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
- `type: optional "private"`
- `"private"`
- `vnet_id: optional string`
The VNET ID to match the destination. When omitted, all VNETs will match.
- `ViaMcpServerPortalDestination { mcp_server_id, type }`
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
- `mcp_server_id: optional string`
The MCP server id configured in ai-controls.
- `type: optional "via_mcp_server_portal"`
- `"via_mcp_server_portal"`
- `domain: optional string`
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- `http_only_cookie_attribute: optional boolean`
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the application.
- `oauth_configuration: optional { dynamic_client_registration, enabled, grant }`
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
- `dynamic_client_registration: optional { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled }`
Settings for OAuth dynamic client registration.
- `allow_any_on_localhost: optional boolean`
Allows any client with redirect URIs on localhost.
- `allow_any_on_loopback: optional boolean`
Allows any client with redirect URIs on 127.0.0.1.
- `allowed_uris: optional array of string`
The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the `https` protocol. Paths may end in `/*` to match all sub-paths.
- `enabled: optional boolean`
Whether dynamic client registration is enabled.
- `enabled: optional boolean`
Whether the OAuth configuration is enabled for this application. When set to `false`, Access will not handle OAuth for this application. Defaults to `true` if omitted.
- `grant: optional { access_token_lifetime, session_duration }`
Settings for OAuth grant behavior.
- `access_token_lifetime: optional string`
The lifetime of the access token. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `session_duration: optional string`
The duration of the OAuth session. Must be in the format `300ms` or `2h45m`. Valid time units are ns, us (or µs), ms, s, m, h.
- `options_preflight_bypass: optional boolean`
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- `policies: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `same_site_cookie_attribute: optional string`
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- `scim_config: optional { idp_uid, remote_uri, authentication, 3 more }`
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
- `idp_uid: string`
The UID of the IdP to use as the source for SCIM resources to provision to this application.
- `remote_uri: string`
The base URI for the application's SCIM-compatible API.
- `authentication: optional SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or 2 more`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic or SCIMConfigAuthenticationOAuthBearerToken or SCIMConfigAuthenticationOauth2 or { client_id, client_secret, scheme }`
Multiple authentication schemes
- `SCIMConfigAuthenticationHTTPBasic { password, scheme, user }`
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOAuthBearerToken { token, scheme }`
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
- `SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more }`
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
- `AccessSCIMConfigAuthenticationAccessServiceToken { client_id, client_secret, scheme }`
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
- `client_id: string`
Client ID of the Access service token used to authenticate with the remote service.
- `client_secret: string`
Client secret of the Access service token used to authenticate with the remote service.
- `scheme: "access_service_token"`
The authentication scheme to use when making SCIM requests to this application.
- `"access_service_token"`
- `deactivate_on_delete: optional boolean`
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
- `enabled: optional boolean`
Whether SCIM provisioning is turned on for this application.
- `mappings: optional array of SCIMConfigMapping`
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
- `schema: string`
Which SCIM resource type this mapping applies to.
- `enabled: optional boolean`
Whether or not this mapping is enabled.
- `filter: optional string`
A [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2) that matches resources that should be provisioned to this application.
- `operations: optional { create, delete, update }`
Whether or not this mapping applies to creates, updates, or deletes.
- `strictness: optional "strict" or "passthrough"`
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
- `transform_jsonata: optional string`
A [JSONata](https://jsonata.org/) expression that transforms the resource before provisioning it in the application.
- `session_duration: optional string`
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
- `tags: optional array of string`
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
### Application Delete Response
- `ApplicationDeleteResponse { id }`
- `id: optional string`
UUID.
### Application Revoke Tokens Response
- `ApplicationRevokeTokensResponse = unknown`
# CAs
## List short-lived certificate CAs
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/ca`
Lists short-lived certificate CAs and their public keys.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Query Parameters
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of CA`
- `id: optional string`
The ID of the CA.
- `aud: optional string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: optional string`
The public key to add to your SSH server configuration.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/ca \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a short-lived certificate CA
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Fetches a short-lived certificate CA and its public key.
### Path Parameters
- `app_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional CA`
- `id: optional string`
The ID of the CA.
- `aud: optional string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: optional string`
The public key to add to your SSH server configuration.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/ca \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
}
```
## Create a short-lived certificate CA
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Generates a new short-lived certificate CA and public key.
### Path Parameters
- `app_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional CA`
- `id: optional string`
The ID of the CA.
- `aud: optional string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: optional string`
The public key to add to your SSH server configuration.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/ca \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"public_key": "ecdsa-sha2-nistp256 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= open-ssh-ca@cloudflareaccess.org"
}
}
```
## Delete a short-lived certificate CA
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/ca`
Deletes a short-lived certificate CA.
### Path Parameters
- `app_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
The ID of the CA.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/ca \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "7eddae4619b50ab1361ba8ae9bd72269a432fea041529ed9"
}
}
```
## Domain Types
### CA
- `CA { id, aud, public_key }`
- `id: optional string`
The ID of the CA.
- `aud: optional string`
The Application Audience (AUD) tag. Identifies the application associated with the CA.
- `public_key: optional string`
The public key to add to your SSH server configuration.
### CA Delete Response
- `CADeleteResponse { id }`
- `id: optional string`
The ID of the CA.
# User Policy Checks
## Test Access policies
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/user_policy_checks`
Tests if a specific user has permission to access an application.
### Path Parameters
- `app_id: AppID`
Identifier.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { app_state, user_identity }`
- `app_state: optional { app_uid, aud, hostname, 3 more }`
- `app_uid: optional string`
UUID.
- `aud: optional string`
- `hostname: optional string`
- `name: optional string`
- `policies: optional array of unknown`
- `status: optional string`
- `user_identity: optional { id, account_id, device_sessions, 8 more }`
- `id: optional string`
- `account_id: optional string`
- `device_sessions: optional unknown`
- `email: optional string`
- `geo: optional UserPolicyCheckGeo`
- `country: optional string`
- `iat: optional number`
- `is_gateway: optional boolean`
- `is_warp: optional boolean`
- `name: optional string`
- `user_uuid: optional string`
UUID.
- `version: optional number`
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/user_policy_checks \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"app_state": {
"app_uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe389",
"hostname": "test.com",
"name": "Test App",
"policies": [
{
"decision": "allow",
"exclude": [],
"include": [
{
"_type": "email",
"email": "testuser@gmail.com"
}
],
"precedence": 1,
"require": [],
"status": "Success"
}
],
"status": "Success"
},
"user_identity": {
"id": "1164449231815010287495",
"account_id": "41ecfbb341f033e52b46742756aabb8b",
"device_sessions": {},
"email": "testuser@gmail.com",
"geo": {
"country": "US"
},
"iat": 0,
"is_gateway": false,
"is_warp": false,
"name": "Test User",
"user_uuid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"version": 0
}
}
}
```
## Domain Types
### User Policy Check Geo
- `UserPolicyCheckGeo { country }`
- `country: optional string`
### User Policy Check List Response
- `UserPolicyCheckListResponse { app_state, user_identity }`
- `app_state: optional { app_uid, aud, hostname, 3 more }`
- `app_uid: optional string`
UUID.
- `aud: optional string`
- `hostname: optional string`
- `name: optional string`
- `policies: optional array of unknown`
- `status: optional string`
- `user_identity: optional { id, account_id, device_sessions, 8 more }`
- `id: optional string`
- `account_id: optional string`
- `device_sessions: optional unknown`
- `email: optional string`
- `geo: optional UserPolicyCheckGeo`
- `country: optional string`
- `iat: optional number`
- `is_gateway: optional boolean`
- `is_warp: optional boolean`
- `name: optional string`
- `user_uuid: optional string`
UUID.
- `version: optional number`
# Policies
## List Access application policies
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies`
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
### Path Parameters
- `app_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Query Parameters
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access application policy
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
### Path Parameters
- `app_id: string`
UUID.
- `policy_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies/$POLICY_ID \
-H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
-H "X-Auth-Key: $CLOUDFLARE_API_KEY"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access application policy
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies`
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
### Path Parameters
- `app_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
]
},
{
"approvals_needed": 3,
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"session_duration": "24h"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access application policy
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
### Path Parameters
- `app_id: string`
UUID.
- `policy_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies/$POLICY_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
]
},
{
"approvals_needed": 3,
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"session_duration": "24h"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access application policy
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}`
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
### Path Parameters
- `app_id: string`
UUID.
- `policy_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/policies/$POLICY_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Access Device Posture Rule
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
### Access Rule
- `AccessRule = GroupRule or AnyValidServiceTokenRule or { auth_context } or 22 more`
Matches an Access group.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
### Any Valid Service Token Rule
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
### Authentication Method Rule
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
### Azure Group Rule
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
### Certificate Rule
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
### Country Rule
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
### Domain Rule
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
### Email List Rule
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
### Email Rule
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
### Everyone Rule
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
### External Evaluation Rule
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
### GitHub Organization Rule
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
### Group Rule
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
### GSuite Group Rule
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
### IP List Rule
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
### IP Rule
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
### Okta Group Rule
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
### SAML Group Rule
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
### Service Token Rule
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
### Policy List Response
- `PolicyListResponse { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Get Response
- `PolicyGetResponse { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Create Response
- `PolicyCreateResponse { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Update Response
- `PolicyUpdateResponse { id, approval_groups, approval_required, 14 more }`
- `id: optional string`
The UUID of the policy
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy within an app.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Delete Response
- `PolicyDeleteResponse { id }`
- `id: optional string`
UUID.
# Policy Tests
## Get the current status of a given Access policy test
**get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}`
Fetches the current status of a given Access policy test.
### Path Parameters
- `account_id: string`
Identifier.
- `policy_test_id: string`
The UUID of the policy test.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, percent_approved, percent_blocked, 7 more }`
- `id: optional string`
The UUID of the policy test.
- `percent_approved: optional number`
The percentage of (processed) users approved based on policy evaluation results.
- `percent_blocked: optional number`
The percentage of (processed) users blocked based on policy evaluation results.
- `percent_errored: optional number`
The percentage of (processed) users errored based on policy evaluation results.
- `percent_users_processed: optional number`
The percentage of users processed so far (of the entire user base).
- `status: optional "blocked" or "processing" or "exceeded time" or "complete"`
The status of the policy test.
- `"blocked"`
- `"processing"`
- `"exceeded time"`
- `"complete"`
- `total_users: optional number`
The total number of users in the user base.
- `users_approved: optional number`
The number of (processed) users approved based on policy evaluation results.
- `users_blocked: optional number`
The number of (processed) users blocked based on policy evaluation results.
- `users_errored: optional number`
The number of (processed) users errored based on policy evaluation results.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policy-tests/$POLICY_TEST_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
"percent_approved": 25,
"percent_blocked": 25,
"percent_errored": 25,
"percent_users_processed": 50,
"status": "complete",
"total_users": 20,
"users_approved": 5,
"users_blocked": 5,
"users_errored": 5
}
}
```
## Start Access policy test
**post** `/accounts/{account_id}/access/policy-tests`
Starts an Access policy test.
### Path Parameters
- `account_id: string`
Identifier.
### Body Parameters
- `policies: optional array of { decision, include, name, 10 more } or string`
- `{ decision, include, name, 10 more }`
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: string`
The name of the Access policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `string`
The UUID of the reusable policy you wish to test
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, status }`
- `id: optional string`
The UUID of the policy test.
- `status: optional "success"`
The status of the policy test request.
- `"success"`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policy-tests \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f1a8b3c9d4e5f6789a0b1c2d3e4f5678a9b0c1d2e3f4a5b67890c1d2e3f4b5a6",
"status": "success"
}
}
```
## Domain Types
### Policy Test Get Response
- `PolicyTestGetResponse { id, percent_approved, percent_blocked, 7 more }`
- `id: optional string`
The UUID of the policy test.
- `percent_approved: optional number`
The percentage of (processed) users approved based on policy evaluation results.
- `percent_blocked: optional number`
The percentage of (processed) users blocked based on policy evaluation results.
- `percent_errored: optional number`
The percentage of (processed) users errored based on policy evaluation results.
- `percent_users_processed: optional number`
The percentage of users processed so far (of the entire user base).
- `status: optional "blocked" or "processing" or "exceeded time" or "complete"`
The status of the policy test.
- `"blocked"`
- `"processing"`
- `"exceeded time"`
- `"complete"`
- `total_users: optional number`
The total number of users in the user base.
- `users_approved: optional number`
The number of (processed) users approved based on policy evaluation results.
- `users_blocked: optional number`
The number of (processed) users blocked based on policy evaluation results.
- `users_errored: optional number`
The number of (processed) users errored based on policy evaluation results.
### Policy Test Create Response
- `PolicyTestCreateResponse { id, status }`
- `id: optional string`
The UUID of the policy test.
- `status: optional "success"`
The status of the policy test request.
- `"success"`
# Users
## Get an Access policy test users page
**get** `/accounts/{account_id}/access/policy-tests/{policy_test_id}/users`
Fetches a single page of user results from an Access policy test.
### Path Parameters
- `account_id: string`
Identifier.
- `policy_test_id: string`
The UUID of the policy test.
### Query Parameters
- `page: optional number`
Page number of results.
- `per_page: optional number`
- `status: optional "success" or "fail" or "error"`
Filter users by their policy evaluation status.
- `"success"`
- `"fail"`
- `"error"`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, email, name, status }`
Page of processed users.
- `id: optional string`
UUID.
- `email: optional string`
The email of the user.
- `name: optional string`
The name of the user.
- `status: optional "approved" or "blocked" or "error"`
Policy evaluation result for an individual user.
- `"approved"`
- `"blocked"`
- `"error"`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policy-tests/$POLICY_TEST_ID/users \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"email": "jdoe@example.com",
"name": "Jane Doe",
"status": "approved"
}
]
}
```
## Domain Types
### User List Response
- `UserListResponse { id, email, name, status }`
- `id: optional string`
UUID.
- `email: optional string`
The email of the user.
- `name: optional string`
The name of the user.
- `status: optional "approved" or "blocked" or "error"`
Policy evaluation result for an individual user.
- `"approved"`
- `"blocked"`
- `"error"`
# Settings
## Update Access application settings
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings`
Updates Access application settings.
### Path Parameters
- `app_id: AppID`
Identifier.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { allow_iframe, skip_interstitial }`
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/settings \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"allow_iframe": true,
"skip_interstitial": true
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"allow_iframe": true,
"skip_interstitial": true
}
}
```
## Update Access application settings
**patch** `/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/settings`
Updates Access application settings.
### Path Parameters
- `app_id: AppID`
Identifier.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { allow_iframe, skip_interstitial }`
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps/$APP_ID/settings \
-X PATCH \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"allow_iframe": true,
"skip_interstitial": true
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"allow_iframe": true,
"skip_interstitial": true
}
}
```
## Domain Types
### Setting Update Response
- `SettingUpdateResponse { allow_iframe, skip_interstitial }`
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
### Setting Edit Response
- `SettingEditResponse { allow_iframe, skip_interstitial }`
- `allow_iframe: optional boolean`
Enables loading application content in an iFrame.
- `skip_interstitial: optional boolean`
Enables automatic authentication through cloudflared.
# Certificates
## List mTLS certificates
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates`
Lists all mTLS root certificates.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Query Parameters
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of Certificate`
- `id: optional string`
The ID of the application that will use this certificate.
- `associated_hostnames: optional array of AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `expires_on: optional string`
- `fingerprint: optional string`
The MD5 fingerprint of the certificate.
- `name: optional string`
The name of the certificate.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an mTLS certificate
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Fetches a single mTLS certificate.
### Path Parameters
- `certificate_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Certificate`
- `id: optional string`
The ID of the application that will use this certificate.
- `associated_hostnames: optional array of AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `expires_on: optional string`
- `fingerprint: optional string`
The MD5 fingerprint of the certificate.
- `name: optional string`
The name of the certificate.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/$CERTIFICATE_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Add an mTLS certificate
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates`
Adds a new mTLS root certificate to Access.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `certificate: string`
The certificate content.
- `name: string`
The name of the certificate.
- `associated_hostnames: optional array of AssociatedHostnames`
The hostnames of the applications that will use this certificate.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Certificate`
- `id: optional string`
The ID of the application that will use this certificate.
- `associated_hostnames: optional array of AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `expires_on: optional string`
- `fingerprint: optional string`
The MD5 fingerprint of the certificate.
- `name: optional string`
The name of the certificate.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"certificate": "-----BEGIN CERTIFICATE-----\\nMIIGAjCCA+qgAwIBAgIJAI7kymlF7CWT...N4RI7KKB7nikiuUf8vhULKy5IX10\\nDrUtmu/B\\n-----END CERTIFICATE-----",
"name": "Allow devs"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an mTLS certificate
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Updates a configured mTLS certificate.
### Path Parameters
- `certificate_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `associated_hostnames: array of AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `name: optional string`
The name of the certificate.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Certificate`
- `id: optional string`
The ID of the application that will use this certificate.
- `associated_hostnames: optional array of AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `expires_on: optional string`
- `fingerprint: optional string`
The MD5 fingerprint of the certificate.
- `name: optional string`
The name of the certificate.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/$CERTIFICATE_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"associated_hostnames": [
"admin.example.com"
],
"name": "Allow devs"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"associated_hostnames": [
"admin.example.com"
],
"created_at": "2014-01-01T05:20:00.12345Z",
"expires_on": "2014-01-01T05:20:00.12345Z",
"fingerprint": "MD5 Fingerprint=1E:80:0F:7A:FD:31:55:96:DE:D5:CB:E2:F0:91:F6:91",
"name": "Allow devs",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an mTLS certificate
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/{certificate_id}`
Deletes an mTLS certificate.
### Path Parameters
- `certificate_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/$CERTIFICATE_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Associated Hostnames
- `AssociatedHostnames = string`
A fully-qualified domain name (FQDN).
### Certificate
- `Certificate { id, associated_hostnames, expires_on, 2 more }`
- `id: optional string`
The ID of the application that will use this certificate.
- `associated_hostnames: optional array of AssociatedHostnames`
The hostnames of the applications that will use this certificate.
- `expires_on: optional string`
- `fingerprint: optional string`
The MD5 fingerprint of the certificate.
- `name: optional string`
The name of the certificate.
### Certificate Delete Response
- `CertificateDeleteResponse { id }`
- `id: optional string`
UUID.
# Settings
## List all mTLS hostname settings
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings`
List all mTLS hostname settings for this account or zone.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of CertificateSettings`
- `china_network: boolean`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: boolean`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: string`
The hostname that these settings apply to.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/settings \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"china_network": false,
"client_certificate_forwarding": true,
"hostname": "admin.example.com"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Update an mTLS certificate's hostname settings
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/certificates/settings`
Updates an mTLS certificate's hostname settings.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `settings: array of CertificateSettings`
- `china_network: boolean`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: boolean`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: string`
The hostname that these settings apply to.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of CertificateSettings`
- `china_network: boolean`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: boolean`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: string`
The hostname that these settings apply to.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/certificates/settings \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"settings": [
{
"china_network": false,
"client_certificate_forwarding": true,
"hostname": "admin.example.com"
}
]
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"china_network": false,
"client_certificate_forwarding": true,
"hostname": "admin.example.com"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Domain Types
### Certificate Settings
- `CertificateSettings { china_network, client_certificate_forwarding, hostname }`
- `china_network: boolean`
Request client certificates for this hostname in China. Can only be set to true if this zone is china network enabled.
- `client_certificate_forwarding: boolean`
Client Certificate Forwarding is a feature that takes the client cert provided by the eyeball to the edge, and forwards it to the origin as a HTTP header to allow logging on the origin.
- `hostname: string`
The hostname that these settings apply to.
# Groups
## List Access groups
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups`
Lists all Access groups.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Query Parameters
- `name: optional string`
The name of the group.
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
- `search: optional string`
Search for groups by other listed query parameters.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access group
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Fetches a single Access group.
### Path Parameters
- `group_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups/$GROUP_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access group
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/groups`
Creates a new Access group.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `include: array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: string`
The name of the Access group.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional boolean`
Whether this is the default group
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access group
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Updates a configured Access group.
### Path Parameters
- `group_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `include: array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: string`
The name of the Access group.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional boolean`
Whether this is the default group
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups/$GROUP_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"created_at": "2014-01-01T05:20:00.12345Z",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"is_default": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access group
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/groups/{group_id}`
Deletes an Access group.
### Path Parameters
- `group_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/groups/$GROUP_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Zero Trust Group
- `ZeroTrustGroup { id, displayName, externalId, 2 more }`
- `id: optional string`
The unique Cloudflare-generated Id of the SCIM resource.
- `displayName: optional string`
The display name of the SCIM Group resource.
- `externalId: optional string`
The IdP-generated Id of the SCIM resource.
- `meta: optional { created, lastModified }`
The metadata of the SCIM resource.
- `created: optional string`
The timestamp of when the SCIM resource was created.
- `lastModified: optional string`
The timestamp of when the SCIM resource was last modified.
- `schemas: optional array of string`
The list of URIs which indicate the attributes contained within a SCIM resource.
### Group List Response
- `GroupListResponse { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Group Get Response
- `GroupGetResponse { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Group Create Response
- `GroupCreateResponse { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Group Update Response
- `GroupUpdateResponse { id, exclude, include, 3 more }`
- `id: optional string`
UUID.
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `is_default: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `name: optional string`
The name of the Access group.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
### Group Delete Response
- `GroupDeleteResponse { id }`
- `id: optional string`
UUID.
# Service Tokens
## List service tokens
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens`
Lists all service tokens.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Query Parameters
- `name: optional string`
The name of the service token.
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
- `search: optional string`
Search for service tokens by other listed query parameters.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of ServiceToken`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: optional string`
- `name: optional string`
The name of the service token.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a service token
**get** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Fetches a single service token.
### Path Parameters
- `service_token_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional ServiceToken`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: optional string`
- `name: optional string`
The name of the service token.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens/$SERVICE_TOKEN_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a service token
**post** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens`
Generates a new service token. **Note:** This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
### Path Parameters
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `name: string`
The name of the service token.
- `client_secret_version: optional number`
A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `previous_client_secret_expires_at: optional string`
The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, client_id, client_secret, 2 more }`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: optional string`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: optional string`
The name of the service token.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"name": "CI/CD token",
"duration": "60m",
"previous_client_secret_expires_at": "2014-01-01T05:20:00.12345Z"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a service token
**put** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Updates a configured service token.
### Path Parameters
- `service_token_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Body Parameters
- `client_secret_version: optional number`
A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: optional string`
The name of the service token.
- `previous_client_secret_expires_at: optional string`
The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional ServiceToken`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: optional string`
- `name: optional string`
The name of the service token.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens/$SERVICE_TOKEN_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"duration": "60m",
"name": "CI/CD token",
"previous_client_secret_expires_at": "2014-01-01T05:20:00.12345Z"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a service token
**delete** `/{accounts_or_zones}/{account_or_zone_id}/access/service_tokens/{service_token_id}`
Deletes a service token.
### Path Parameters
- `service_token_id: string`
UUID.
- `account_id: optional string`
The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
- `zone_id: optional string`
The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional ServiceToken`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: optional string`
- `name: optional string`
The name of the service token.
### Example
```http
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/service_tokens/$SERVICE_TOKEN_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Refresh a service token
**post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/refresh`
Refreshes the expiration of a service token.
### Path Parameters
- `account_id: string`
Identifier.
- `service_token_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional ServiceToken`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: optional string`
- `name: optional string`
The name of the service token.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens/$SERVICE_TOKEN_ID/refresh \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"expires_at": "2014-01-01T05:20:00.12345Z",
"last_seen_at": "2014-01-01T05:20:00.12345Z",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Rotate a service token
**post** `/accounts/{account_id}/access/service_tokens/{service_token_id}/rotate`
Generates a new Client Secret for a service token and revokes the old one.
### Path Parameters
- `account_id: string`
Identifier.
- `service_token_id: string`
UUID.
### Body Parameters
- `previous_client_secret_expires_at: optional string`
The expiration of the previous `client_secret`. If not provided, it defaults to the current timestamp in order to immediately expire the previous secret.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, client_id, client_secret, 2 more }`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: optional string`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: optional string`
The name of the service token.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens/$SERVICE_TOKEN_ID/rotate \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"client_id": "88bf3b6d86161464f6509f7219099e57.access.example.com",
"client_secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5",
"created_at": "2014-01-01T05:20:00.12345Z",
"duration": "60m",
"name": "CI/CD token",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Domain Types
### Service Token
- `ServiceToken { id, client_id, duration, 2 more }`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `expires_at: optional string`
- `name: optional string`
The name of the service token.
### Service Token Create Response
- `ServiceTokenCreateResponse { id, client_id, client_secret, 2 more }`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: optional string`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: optional string`
The name of the service token.
### Service Token Rotate Response
- `ServiceTokenRotateResponse { id, client_id, client_secret, 2 more }`
- `id: optional string`
The ID of the service token.
- `client_id: optional string`
The Client ID for the service token. Access will check for this value in the `CF-Access-Client-ID` request header.
- `client_secret: optional string`
The Client Secret for the service token. Access will check for this value in the `CF-Access-Client-Secret` request header.
- `duration: optional string`
The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).
- `name: optional string`
The name of the service token.
# Bookmarks
## List Bookmark applications
**get** `/accounts/{account_id}/access/bookmarks`
Lists Bookmark applications.
### Path Parameters
- `account_id: string`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of Bookmark`
- `id: optional string`
The unique identifier for the Bookmark application.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `domain: optional string`
The domain of the Bookmark application.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the Bookmark application.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a Bookmark application
**get** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Fetches a single Bookmark application.
### Path Parameters
- `account_id: string`
- `bookmark_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Bookmark`
- `id: optional string`
The unique identifier for the Bookmark application.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `domain: optional string`
The domain of the Bookmark application.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the Bookmark application.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a Bookmark application
**post** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Create a new Bookmark application.
### Path Parameters
- `account_id: string`
- `bookmark_id: string`
UUID.
### Body Parameters
- `body: unknown`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Bookmark`
- `id: optional string`
The unique identifier for the Bookmark application.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `domain: optional string`
The domain of the Bookmark application.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the Bookmark application.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a Bookmark application
**put** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Updates a configured Bookmark application.
### Path Parameters
- `account_id: string`
- `bookmark_id: string`
UUID.
### Body Parameters
- `body: unknown`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Bookmark`
- `id: optional string`
The unique identifier for the Bookmark application.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `domain: optional string`
The domain of the Bookmark application.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the Bookmark application.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "id",
"app_launcher_visible": true,
"created_at": "2014-01-01T05:20:00.12345Z",
"domain": "example.com",
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "My Website",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a Bookmark application
**delete** `/accounts/{account_id}/access/bookmarks/{bookmark_id}`
Deletes a Bookmark application.
### Path Parameters
- `account_id: string`
- `bookmark_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/bookmarks/$BOOKMARK_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Bookmark
- `Bookmark { id, app_launcher_visible, domain, 2 more }`
- `id: optional string`
The unique identifier for the Bookmark application.
- `app_launcher_visible: optional boolean`
Displays the application in the App Launcher.
- `domain: optional string`
The domain of the Bookmark application.
- `logo_url: optional string`
The image URL for the logo shown in the App Launcher dashboard.
- `name: optional string`
The name of the Bookmark application.
### Bookmark Delete Response
- `BookmarkDeleteResponse { id }`
- `id: optional string`
UUID.
# Keys
## Get the Access key configuration
**get** `/accounts/{account_id}/access/keys`
Gets the Access key rotation settings for an account.
### Path Parameters
- `account_id: string`
Identifier.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }`
- `days_until_next_rotation: optional number`
The number of days until the next key rotation.
- `key_rotation_interval_days: optional number`
The number of days between key rotations.
- `last_key_rotation_at: optional string`
The timestamp of the previous key rotation.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/keys \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update the Access key configuration
**put** `/accounts/{account_id}/access/keys`
Updates the Access key rotation settings for an account.
### Path Parameters
- `account_id: string`
Identifier.
### Body Parameters
- `key_rotation_interval_days: number`
The number of days between key rotations.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }`
- `days_until_next_rotation: optional number`
The number of days until the next key rotation.
- `key_rotation_interval_days: optional number`
The number of days between key rotations.
- `last_key_rotation_at: optional string`
The timestamp of the previous key rotation.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/keys \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"key_rotation_interval_days": 30
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Rotate Access keys
**post** `/accounts/{account_id}/access/keys/rotate`
Perfoms a key rotation for an account.
### Path Parameters
- `account_id: string`
Identifier.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }`
- `days_until_next_rotation: optional number`
The number of days until the next key rotation.
- `key_rotation_interval_days: optional number`
The number of days between key rotations.
- `last_key_rotation_at: optional string`
The timestamp of the previous key rotation.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/keys/rotate \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"days_until_next_rotation": 1,
"key_rotation_interval_days": 30,
"last_key_rotation_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Domain Types
### Key Get Response
- `KeyGetResponse { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }`
- `days_until_next_rotation: optional number`
The number of days until the next key rotation.
- `key_rotation_interval_days: optional number`
The number of days between key rotations.
- `last_key_rotation_at: optional string`
The timestamp of the previous key rotation.
### Key Update Response
- `KeyUpdateResponse { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }`
- `days_until_next_rotation: optional number`
The number of days until the next key rotation.
- `key_rotation_interval_days: optional number`
The number of days between key rotations.
- `last_key_rotation_at: optional string`
The timestamp of the previous key rotation.
### Key Rotate Response
- `KeyRotateResponse { days_until_next_rotation, key_rotation_interval_days, last_key_rotation_at }`
- `days_until_next_rotation: optional number`
The number of days until the next key rotation.
- `key_rotation_interval_days: optional number`
The number of days between key rotations.
- `last_key_rotation_at: optional string`
The timestamp of the previous key rotation.
# Logs
# Access Requests
## Get Access authentication logs
**get** `/accounts/{account_id}/access/logs/access_requests`
Gets a list of Access authentication audit logs for an account.
### Path Parameters
- `account_id: string`
Identifier.
### Query Parameters
- `allowedOp: optional "eq" or "neq"`
Operator for the `allowed` filter.
- `"eq"`
- `"neq"`
- `app_typeOp: optional "eq" or "neq"`
Operator for the `app_type` filter.
- `"eq"`
- `"neq"`
- `app_uidOp: optional "eq" or "neq"`
Operator for the `app_uid` filter.
- `"eq"`
- `"neq"`
- `country_codeOp: optional "eq" or "neq"`
Operator for the `country_code` filter.
- `"eq"`
- `"neq"`
- `direction: optional "desc" or "asc"`
The chronological sorting order for the logs.
- `"desc"`
- `"asc"`
- `email: optional string`
Filter by user email. Defaults to substring matching. To force exact matching, set `email_exact=true`.
Example (default): `email=@example.com` returns all events with that domain.
Example (exact): `email=user@example.com&email_exact=true` returns only that user.
- `email_exact: optional boolean`
When true, `email` is matched exactly instead of substring matching.
- `emailOp: optional "eq" or "neq"`
Operator for the `email` filter.
- `"eq"`
- `"neq"`
- `fields: optional string`
Comma-separated list of fields to include in the response.
When omitted, all fields are returned.
- `idpOp: optional "eq" or "neq"`
Operator for the `idp` filter.
- `"eq"`
- `"neq"`
- `limit: optional number`
The maximum number of log entries to retrieve.
- `non_identityOp: optional "eq" or "neq"`
Operator for the `non_identity` filter.
- `"eq"`
- `"neq"`
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
- `ray_idOp: optional "eq" or "neq"`
Operator for the `ray_id` filter.
- `"eq"`
- `"neq"`
- `since: optional string`
The earliest event timestamp to query.
- `until: optional string`
The latest event timestamp to query.
- `user_id: optional string`
Filter by user UUID.
- `user_idOp: optional "eq" or "neq"`
Operator for the `user_id` filter.
- `"eq"`
- `"neq"`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of AccessRequest`
- `action: optional string`
The event that occurred, such as a login attempt.
- `allowed: optional boolean`
The result of the authentication event.
- `app_domain: optional string`
The URL of the Access application.
- `app_uid: optional string`
The unique identifier for the Access application.
- `connection: optional string`
The IdP used to authenticate.
- `created_at: optional string`
- `ip_address: optional string`
The IP address of the authenticating user.
- `ray_id: optional string`
The unique identifier for the request to Cloudflare.
- `user_email: optional string`
The email address of the authenticating user.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/access_requests \
-H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
-H "X-Auth-Key: $CLOUDFLARE_API_KEY"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"action": "login",
"allowed": true,
"app_domain": "test.example.com/admin",
"app_uid": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
"connection": "saml",
"created_at": "2014-01-01T05:20:00.12345Z",
"ip_address": "198.41.129.166",
"ray_id": "187d944c61940c77",
"user_email": "user@example.com"
}
]
}
```
## Domain Types
### Access Request List Response
- `AccessRequestListResponse = array of AccessRequest`
- `action: optional string`
The event that occurred, such as a login attempt.
- `allowed: optional boolean`
The result of the authentication event.
- `app_domain: optional string`
The URL of the Access application.
- `app_uid: optional string`
The unique identifier for the Access application.
- `connection: optional string`
The IdP used to authenticate.
- `created_at: optional string`
- `ip_address: optional string`
The IP address of the authenticating user.
- `ray_id: optional string`
The unique identifier for the request to Cloudflare.
- `user_email: optional string`
The email address of the authenticating user.
# SCIM
## Domain Types
### Access Request
- `AccessRequest { action, allowed, app_domain, 6 more }`
- `action: optional string`
The event that occurred, such as a login attempt.
- `allowed: optional boolean`
The result of the authentication event.
- `app_domain: optional string`
The URL of the Access application.
- `app_uid: optional string`
The unique identifier for the Access application.
- `connection: optional string`
The IdP used to authenticate.
- `created_at: optional string`
- `ip_address: optional string`
The IP address of the authenticating user.
- `ray_id: optional string`
The unique identifier for the request to Cloudflare.
- `user_email: optional string`
The email address of the authenticating user.
# Updates
## List Access SCIM update logs
**get** `/accounts/{account_id}/access/logs/scim/updates`
Lists Access SCIM update logs that maintain a record of updates made to User and Group resources synced to Cloudflare via the System for Cross-domain Identity Management (SCIM).
### Path Parameters
- `account_id: string`
Identifier.
### Query Parameters
- `idp_id: array of string`
The unique Id of the IdP that has SCIM enabled.
- `cf_resource_id: optional string`
The unique Cloudflare-generated Id of the SCIM resource.
- `direction: optional "desc" or "asc"`
The chronological order used to sort the logs.
- `"desc"`
- `"asc"`
- `idp_resource_id: optional string`
The IdP-generated Id of the SCIM resource.
- `limit: optional number`
The maximum number of update logs to retrieve.
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
- `request_method: optional array of "DELETE" or "PATCH" or "POST" or "PUT"`
The request method of the SCIM request.
- `"DELETE"`
- `"PATCH"`
- `"POST"`
- `"PUT"`
- `resource_group_name: optional string`
The display name of the SCIM Group resource.
- `resource_type: optional array of "USER" or "GROUP"`
The resource type of the SCIM request.
- `"USER"`
- `"GROUP"`
- `resource_user_email: optional string`
The email address of the SCIM User resource.
- `since: optional string`
the timestamp of the earliest update log.
- `status: optional array of "FAILURE" or "SUCCESS"`
The status of the SCIM request.
- `"FAILURE"`
- `"SUCCESS"`
- `until: optional string`
the timestamp of the most-recent update log.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { cf_resource_id, error_description, idp_id, 8 more }`
- `cf_resource_id: optional string`
The unique Cloudflare-generated Id of the SCIM resource.
- `error_description: optional string`
The error message which is generated when the status of the SCIM request is 'FAILURE'.
- `idp_id: optional string`
The unique Id of the IdP that has SCIM enabled.
- `idp_resource_id: optional string`
The IdP-generated Id of the SCIM resource.
- `logged_at: optional string`
- `request_body: optional string`
The JSON-encoded string body of the SCIM request.
- `request_method: optional string`
The request method of the SCIM request.
- `resource_group_name: optional string`
The display name of the SCIM Group resource if it exists.
- `resource_type: optional string`
The resource type of the SCIM request.
- `resource_user_email: optional string`
The email address of the SCIM User resource if it exists.
- `status: optional string`
The status of the SCIM request.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/logs/scim/updates \
-H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
-H "X-Auth-Key: $CLOUDFLARE_API_KEY"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"cf_resource_id": "bd97ef8d-7986-43e3-9ee0-c25dda33e4b0",
"error_description": "Invalid JSON body",
"idp_id": "df7e2w5f-02b7-4d9d-af26-8d1988fca630",
"idp_resource_id": "all_employees",
"logged_at": "2014-01-01T05:20:00.12345Z",
"request_body": "{}}",
"request_method": "DELETE",
"resource_group_name": "ALL_EMPLOYEES",
"resource_type": "GROUP",
"resource_user_email": "john.smith@example.com",
"status": "FAILURE"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Domain Types
### Update List Response
- `UpdateListResponse { cf_resource_id, error_description, idp_id, 8 more }`
- `cf_resource_id: optional string`
The unique Cloudflare-generated Id of the SCIM resource.
- `error_description: optional string`
The error message which is generated when the status of the SCIM request is 'FAILURE'.
- `idp_id: optional string`
The unique Id of the IdP that has SCIM enabled.
- `idp_resource_id: optional string`
The IdP-generated Id of the SCIM resource.
- `logged_at: optional string`
- `request_body: optional string`
The JSON-encoded string body of the SCIM request.
- `request_method: optional string`
The request method of the SCIM request.
- `resource_group_name: optional string`
The display name of the SCIM Group resource if it exists.
- `resource_type: optional string`
The resource type of the SCIM request.
- `resource_user_email: optional string`
The email address of the SCIM User resource if it exists.
- `status: optional string`
The status of the SCIM request.
# Users
## Get users
**get** `/accounts/{account_id}/access/users`
Gets a list of users for an account.
### Path Parameters
- `account_id: string`
Identifier.
### Query Parameters
- `email: optional string`
The email of the user.
- `name: optional string`
The name of the user.
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
- `search: optional string`
Search for users by other listed query parameters.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 100,
"total_count": 1,
"total_pages": 100
}
}
```
## Get a user
**get** `/accounts/{account_id}/access/users/{user_id}`
Gets a specific user for an account.
### Path Parameters
- `account_id: string`
Identifier.
- `user_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a user
**post** `/accounts/{account_id}/access/users`
Creates a new user.
### Path Parameters
- `account_id: string`
Identifier.
### Body Parameters
- `email: string`
The email of the user.
- `name: optional string`
The name of the user.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"email": "jdoe@example.com",
"name": "Jane Doe"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a user
**put** `/accounts/{account_id}/access/users/{user_id}`
Updates a specific user's name for an account. Requires the user's current email as confirmation (email cannot be changed).
### Path Parameters
- `account_id: string`
Identifier.
- `user_id: string`
UUID.
### Body Parameters
- `email: string`
The email of the user.
- `name: string`
The name of the user.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"email": "jdoe@example.com",
"name": "Jane Doe"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"access_seat": false,
"active_device_count": 2,
"created_at": "2014-01-01T05:20:00.12345Z",
"email": "jdoe@example.com",
"gateway_seat": false,
"last_successful_login": "2020-07-01T05:20:00Z",
"name": "Jane Doe",
"seat_uid": "seat_uid",
"uid": "uid",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a user
**delete** `/accounts/{account_id}/access/users/{user_id}`
Deletes a specific user for an account. This will also revoke any active seats and tokens for the user.
### Path Parameters
- `account_id: string`
Identifier.
- `user_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional unknown`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {}
}
```
## Domain Types
### Access User
- `AccessUser { id, active, displayName, 4 more }`
- `id: optional string`
The unique Cloudflare-generated Id of the SCIM resource.
- `active: optional boolean`
Determines the status of the SCIM User resource.
- `displayName: optional string`
The name of the SCIM User resource.
- `emails: optional array of { primary, type, value }`
- `primary: optional boolean`
Indicates if the email address is the primary email belonging to the SCIM User resource.
- `type: optional string`
Indicates the type of the email address.
- `value: optional string`
The email address of the SCIM User resource.
- `externalId: optional string`
The IdP-generated Id of the SCIM resource.
- `meta: optional { created, lastModified }`
The metadata of the SCIM resource.
- `created: optional string`
The timestamp of when the SCIM resource was created.
- `lastModified: optional string`
The timestamp of when the SCIM resource was last modified.
- `schemas: optional array of string`
The list of URIs which indicate the attributes contained within a SCIM resource.
### User List Response
- `UserListResponse { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
### User Get Response
- `UserGetResponse { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
### User Create Response
- `UserCreateResponse { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
### User Update Response
- `UserUpdateResponse { id, access_seat, active_device_count, 8 more }`
- `id: optional string`
UUID.
- `access_seat: optional boolean`
True if the user has authenticated with Cloudflare Access.
- `active_device_count: optional number`
The number of active devices registered to the user.
- `created_at: optional string`
- `email: optional string`
The email of the user.
- `gateway_seat: optional boolean`
True if the user has logged into the WARP client.
- `last_successful_login: optional string`
The time at which the user last successfully logged in.
- `name: optional string`
The name of the user.
- `seat_uid: optional string`
The unique API identifier for the Zero Trust seat.
- `uid: optional string`
The unique API identifier for the user.
- `updated_at: optional string`
### User Delete Response
- `UserDeleteResponse = unknown`
# Active Sessions
## Get active sessions
**get** `/accounts/{account_id}/access/users/{user_id}/active_sessions`
Get active sessions for a single user.
### Path Parameters
- `account_id: string`
Identifier.
- `user_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { expiration, metadata, name }`
- `expiration: optional number`
- `metadata: optional { apps, expires, iat, 2 more }`
- `apps: optional map[ { hostname, name, type, uid } ]`
- `hostname: optional string`
- `name: optional string`
- `type: optional string`
- `uid: optional string`
- `expires: optional number`
- `iat: optional number`
- `nonce: optional string`
- `ttl: optional number`
- `name: optional string`
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/active_sessions \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"expiration": 1694813506,
"metadata": {
"apps": {
"foo": {
"hostname": "test.example.com",
"name": "app name",
"type": "self_hosted",
"uid": "cc2a8145-0128-4429-87f3-872c4d380c4e"
}
},
"expires": 1694813506,
"iat": 1694791905,
"nonce": "X1aXj1lFVcqqyoXF",
"ttl": 21600
},
"name": "name"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get single active session
**get** `/accounts/{account_id}/access/users/{user_id}/active_sessions/{nonce}`
Get an active session for a single user.
### Path Parameters
- `account_id: string`
Identifier.
- `user_id: string`
UUID.
- `nonce: string`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { account_id, auth_status, common_name, 16 more }`
- `account_id: optional string`
- `auth_status: optional string`
- `common_name: optional string`
- `device_id: optional string`
- `device_sessions: optional map[ { last_authenticated } ]`
- `last_authenticated: optional number`
- `devicePosture: optional map[ { id, check, data, 6 more } ]`
- `id: optional string`
- `check: optional { exists, path }`
- `exists: optional boolean`
- `path: optional string`
- `data: optional unknown`
- `description: optional string`
- `error: optional string`
- `rule_name: optional string`
- `success: optional boolean`
- `timestamp: optional string`
- `type: optional string`
- `email: optional string`
- `geo: optional UserPolicyCheckGeo`
- `country: optional string`
- `iat: optional number`
- `idp: optional { id, type }`
- `id: optional string`
- `type: optional string`
- `ip: optional string`
- `is_gateway: optional boolean`
- `is_warp: optional boolean`
- `isActive: optional boolean`
- `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }`
- `auth_status: optional string`
- `cert_issuer_dn: optional string`
- `cert_issuer_ski: optional string`
- `cert_presented: optional boolean`
- `cert_serial: optional string`
- `service_token_id: optional string`
- `service_token_status: optional boolean`
- `user_uuid: optional string`
- `version: optional number`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/active_sessions/$NONCE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"account_id": "1234567890",
"auth_status": "NONE",
"common_name": "",
"device_id": "",
"device_sessions": {
"foo": {
"last_authenticated": 1638832687
}
},
"devicePosture": {
"foo": {
"id": "id",
"check": {
"exists": true,
"path": "path"
},
"data": {},
"description": "description",
"error": "error",
"rule_name": "rule_name",
"success": true,
"timestamp": "timestamp",
"type": "type"
}
},
"email": "test@cloudflare.com",
"geo": {
"country": "US"
},
"iat": 1694791905,
"idp": {
"id": "id",
"type": "type"
},
"ip": "127.0.0.0",
"is_gateway": false,
"is_warp": false,
"isActive": true,
"mtls_auth": {
"auth_status": "auth_status",
"cert_issuer_dn": "cert_issuer_dn",
"cert_issuer_ski": "cert_issuer_ski",
"cert_presented": true,
"cert_serial": "cert_serial"
},
"service_token_id": "",
"service_token_status": false,
"user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4",
"version": 2
}
}
```
## Domain Types
### Active Session List Response
- `ActiveSessionListResponse { expiration, metadata, name }`
- `expiration: optional number`
- `metadata: optional { apps, expires, iat, 2 more }`
- `apps: optional map[ { hostname, name, type, uid } ]`
- `hostname: optional string`
- `name: optional string`
- `type: optional string`
- `uid: optional string`
- `expires: optional number`
- `iat: optional number`
- `nonce: optional string`
- `ttl: optional number`
- `name: optional string`
### Active Session Get Response
- `ActiveSessionGetResponse { account_id, auth_status, common_name, 16 more }`
- `account_id: optional string`
- `auth_status: optional string`
- `common_name: optional string`
- `device_id: optional string`
- `device_sessions: optional map[ { last_authenticated } ]`
- `last_authenticated: optional number`
- `devicePosture: optional map[ { id, check, data, 6 more } ]`
- `id: optional string`
- `check: optional { exists, path }`
- `exists: optional boolean`
- `path: optional string`
- `data: optional unknown`
- `description: optional string`
- `error: optional string`
- `rule_name: optional string`
- `success: optional boolean`
- `timestamp: optional string`
- `type: optional string`
- `email: optional string`
- `geo: optional UserPolicyCheckGeo`
- `country: optional string`
- `iat: optional number`
- `idp: optional { id, type }`
- `id: optional string`
- `type: optional string`
- `ip: optional string`
- `is_gateway: optional boolean`
- `is_warp: optional boolean`
- `isActive: optional boolean`
- `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }`
- `auth_status: optional string`
- `cert_issuer_dn: optional string`
- `cert_issuer_ski: optional string`
- `cert_presented: optional boolean`
- `cert_serial: optional string`
- `service_token_id: optional string`
- `service_token_status: optional boolean`
- `user_uuid: optional string`
- `version: optional number`
# Last Seen Identity
## Get last seen identity
**get** `/accounts/{account_id}/access/users/{user_id}/last_seen_identity`
Get last seen identity for a single user.
### Path Parameters
- `account_id: string`
Identifier.
- `user_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Identity`
- `account_id: optional string`
- `auth_status: optional string`
- `common_name: optional string`
- `device_id: optional string`
- `device_sessions: optional map[ { last_authenticated } ]`
- `last_authenticated: optional number`
- `devicePosture: optional map[ { id, check, data, 6 more } ]`
- `id: optional string`
- `check: optional { exists, path }`
- `exists: optional boolean`
- `path: optional string`
- `data: optional unknown`
- `description: optional string`
- `error: optional string`
- `rule_name: optional string`
- `success: optional boolean`
- `timestamp: optional string`
- `type: optional string`
- `email: optional string`
- `geo: optional UserPolicyCheckGeo`
- `country: optional string`
- `iat: optional number`
- `idp: optional { id, type }`
- `id: optional string`
- `type: optional string`
- `ip: optional string`
- `is_gateway: optional boolean`
- `is_warp: optional boolean`
- `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }`
- `auth_status: optional string`
- `cert_issuer_dn: optional string`
- `cert_issuer_ski: optional string`
- `cert_presented: optional boolean`
- `cert_serial: optional string`
- `service_token_id: optional string`
- `service_token_status: optional boolean`
- `user_uuid: optional string`
- `version: optional number`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/last_seen_identity \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"account_id": "1234567890",
"auth_status": "NONE",
"common_name": "",
"device_id": "",
"device_sessions": {
"foo": {
"last_authenticated": 1638832687
}
},
"devicePosture": {
"foo": {
"id": "id",
"check": {
"exists": true,
"path": "path"
},
"data": {},
"description": "description",
"error": "error",
"rule_name": "rule_name",
"success": true,
"timestamp": "timestamp",
"type": "type"
}
},
"email": "test@cloudflare.com",
"geo": {
"country": "US"
},
"iat": 1694791905,
"idp": {
"id": "id",
"type": "type"
},
"ip": "127.0.0.0",
"is_gateway": false,
"is_warp": false,
"mtls_auth": {
"auth_status": "auth_status",
"cert_issuer_dn": "cert_issuer_dn",
"cert_issuer_ski": "cert_issuer_ski",
"cert_presented": true,
"cert_serial": "cert_serial"
},
"service_token_id": "",
"service_token_status": false,
"user_uuid": "57cf8cf2-f55a-4588-9ac9-f5e41e9f09b4",
"version": 2
}
}
```
## Domain Types
### Identity
- `Identity { account_id, auth_status, common_name, 15 more }`
- `account_id: optional string`
- `auth_status: optional string`
- `common_name: optional string`
- `device_id: optional string`
- `device_sessions: optional map[ { last_authenticated } ]`
- `last_authenticated: optional number`
- `devicePosture: optional map[ { id, check, data, 6 more } ]`
- `id: optional string`
- `check: optional { exists, path }`
- `exists: optional boolean`
- `path: optional string`
- `data: optional unknown`
- `description: optional string`
- `error: optional string`
- `rule_name: optional string`
- `success: optional boolean`
- `timestamp: optional string`
- `type: optional string`
- `email: optional string`
- `geo: optional UserPolicyCheckGeo`
- `country: optional string`
- `iat: optional number`
- `idp: optional { id, type }`
- `id: optional string`
- `type: optional string`
- `ip: optional string`
- `is_gateway: optional boolean`
- `is_warp: optional boolean`
- `mtls_auth: optional { auth_status, cert_issuer_dn, cert_issuer_ski, 2 more }`
- `auth_status: optional string`
- `cert_issuer_dn: optional string`
- `cert_issuer_ski: optional string`
- `cert_presented: optional boolean`
- `cert_serial: optional string`
- `service_token_id: optional string`
- `service_token_status: optional boolean`
- `user_uuid: optional string`
- `version: optional number`
# Failed Logins
## Get failed logins
**get** `/accounts/{account_id}/access/users/{user_id}/failed_logins`
Get all failed login attempts for a single user.
### Path Parameters
- `account_id: string`
Identifier.
- `user_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { expiration, metadata }`
- `expiration: optional number`
- `metadata: optional unknown`
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users/$USER_ID/failed_logins \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"expiration": 0,
"metadata": {
"app_name": "Test App",
"aud": "39691c1480a2352a18ece567debc2b32552686cbd38eec0887aa18d5d3f00c04",
"datetime": "2022-02-02T21:54:34.914Z",
"ray_id": "6d76a8a42ead4133",
"user_email": "test@cloudflare.com",
"user_uuid": "57171132-e453-4ee8-b2a5-8cbaad333207"
}
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Domain Types
### Failed Login List Response
- `FailedLoginListResponse { expiration, metadata }`
- `expiration: optional number`
- `metadata: optional unknown`
# Custom Pages
## List custom pages
**get** `/accounts/{account_id}/access/custom_pages`
List custom pages
### Path Parameters
- `account_id: string`
Identifier.
### Query Parameters
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of CustomPageWithoutHTML`
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: optional string`
UUID.
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a custom page
**get** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Fetches a custom page and also returns its HTML.
### Path Parameters
- `account_id: string`
Identifier.
- `custom_page_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional CustomPage`
- `custom_html: string`
Custom page HTML.
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages/$CUSTOM_PAGE_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"custom_html": "Access Denied
",
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a custom page
**post** `/accounts/{account_id}/access/custom_pages`
Create a custom page
### Path Parameters
- `account_id: string`
Identifier.
### Body Parameters
- `custom_html: string`
Custom page HTML.
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional CustomPageWithoutHTML`
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"custom_html": "Access Denied
",
"name": "name",
"type": "identity_denied"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a custom page
**put** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Update a custom page
### Path Parameters
- `account_id: string`
Identifier.
- `custom_page_id: string`
UUID.
### Body Parameters
- `custom_html: string`
Custom page HTML.
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional CustomPageWithoutHTML`
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages/$CUSTOM_PAGE_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"custom_html": "Access Denied
",
"name": "name",
"type": "identity_denied"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "name",
"type": "identity_denied",
"app_count": 0,
"created_at": "2014-01-01T05:20:00.12345Z",
"uid": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a custom page
**delete** `/accounts/{account_id}/access/custom_pages/{custom_page_id}`
Delete a custom page
### Path Parameters
- `account_id: string`
Identifier.
- `custom_page_id: string`
UUID.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
UUID.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/custom_pages/$CUSTOM_PAGE_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Custom Page
- `CustomPage { custom_html, name, type, uid }`
- `custom_html: string`
Custom page HTML.
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: optional string`
UUID.
### Custom Page Without HTML
- `CustomPageWithoutHTML { name, type, uid }`
- `name: string`
Custom page name.
- `type: "identity_denied" or "forbidden"`
Custom page type.
- `"identity_denied"`
- `"forbidden"`
- `uid: optional string`
UUID.
### Custom Page Delete Response
- `CustomPageDeleteResponse { id }`
- `id: optional string`
UUID.
# Tags
## List tags
**get** `/accounts/{account_id}/access/tags`
List tags
### Path Parameters
- `account_id: string`
Identifier.
### Query Parameters
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of Tag`
- `name: string`
The name of the tag
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get a tag
**get** `/accounts/{account_id}/access/tags/{tag_name}`
Get a tag
### Path Parameters
- `account_id: string`
Identifier.
- `tag_name: string`
The name of the tag
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Tag`
A tag
- `name: string`
The name of the tag
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags/$TAG_NAME \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create a tag
**post** `/accounts/{account_id}/access/tags`
Create a tag
### Path Parameters
- `account_id: string`
Identifier.
### Body Parameters
- `name: optional string`
The name of the tag
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Tag`
A tag
- `name: string`
The name of the tag
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags \
-X POST \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update a tag
**put** `/accounts/{account_id}/access/tags/{tag_name}`
Update a tag
### Path Parameters
- `account_id: string`
Identifier.
- `tag_name: string`
The name of the tag
### Body Parameters
- `name: string`
The name of the tag
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional Tag`
A tag
- `name: string`
The name of the tag
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags/$TAG_NAME \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"name": "engineers"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers",
"app_count": 1,
"created_at": "2014-01-01T05:20:00.12345Z",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete a tag
**delete** `/accounts/{account_id}/access/tags/{tag_name}`
Delete a tag
### Path Parameters
- `account_id: string`
Identifier.
- `tag_name: string`
The name of the tag
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { name }`
- `name: optional string`
The name of the tag
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/tags/$TAG_NAME \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"name": "engineers"
}
}
```
## Domain Types
### Tag
- `Tag { name }`
A tag
- `name: string`
The name of the tag
### Tag Delete Response
- `TagDeleteResponse { name }`
- `name: optional string`
The name of the tag
# Policies
## List Access reusable policies
**get** `/accounts/{account_id}/access/policies`
Lists Access reusable policies.
### Path Parameters
- `account_id: string`
Identifier.
### Query Parameters
- `page: optional number`
Page number of results.
- `per_page: optional number`
Number of results per page.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional array of { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
- `result_info: optional { count, page, per_page, 2 more }`
- `count: optional number`
Total number of results for the requested service.
- `page: optional number`
Current page within paginated list of results.
- `per_page: optional number`
Number of results per page of results.
- `total_count: optional number`
Total results available without any search parameters.
- `total_pages: optional number`
The number of total pages in the entire result set.
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"result_info": {
"count": 1,
"page": 1,
"per_page": 20,
"total_count": 2000,
"total_pages": 100
}
}
```
## Get an Access reusable policy
**get** `/accounts/{account_id}/access/policies/{policy_id}`
Fetches a single Access reusable policy.
### Path Parameters
- `account_id: string`
Identifier.
- `policy_id: string`
The UUID of the policy
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies/$POLICY_ID \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Create an Access reusable policy
**post** `/accounts/{account_id}/access/policies`
Creates a new Access reusable policy.
### Path Parameters
- `account_id: string`
Identifier.
### Body Parameters
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: string`
The name of the Access policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"decision": "allow",
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
]
},
{
"approvals_needed": 3,
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"session_duration": "24h"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Update an Access reusable policy
**put** `/accounts/{account_id}/access/policies/{policy_id}`
Updates a Access reusable policy.
### Path Parameters
- `account_id: string`
Identifier.
- `policy_id: string`
The UUID of the policy
### Body Parameters
- `decision: Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `include: array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `name: string`
The name of the Access policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies/$POLICY_ID \
-X PUT \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"decision": "allow",
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"name": "Allow devs",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
]
},
{
"approvals_needed": 3,
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"session_duration": "24h"
}'
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"app_count": 2,
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"reusable": true,
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
}
```
## Delete an Access reusable policy
**delete** `/accounts/{account_id}/access/policies/{policy_id}`
Deletes an Access reusable policy.
### Path Parameters
- `account_id: string`
Identifier.
- `policy_id: string`
The UUID of the policy
### Returns
- `errors: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `messages: array of { code, message, documentation_url, source }`
- `code: number`
- `message: string`
- `documentation_url: optional string`
- `source: optional { pointer }`
- `pointer: optional string`
- `success: true`
Whether the API call was successful.
- `true`
- `result: optional { id }`
- `id: optional string`
The UUID of the policy
### Example
```http
curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies/$POLICY_ID \
-X DELETE \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
```
#### Response
```json
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415"
}
}
```
## Domain Types
### Approval Group
- `ApprovalGroup { approvals_needed, email_addresses, email_list_uuid }`
A group of email addresses that can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
### Policy
- `Policy { id, approval_groups, approval_required, 11 more }`
- `id: optional string`
UUID.
- `approval_groups: optional array of { approvals_needed, email_addresses, email_list_uuid }`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of unknown`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `created_at: optional string`
- `decision: optional "allow" or "deny" or "non_identity" or "bypass"`
The action Access will take if a user matches this policy.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy.
- `name: optional string`
The name of the Access policy.
- `precedence: optional number`
The order of execution for this policy. Must be unique for each policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `updated_at: optional string`
### Policy List Response
- `PolicyListResponse { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Get Response
- `PolicyGetResponse { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Create Response
- `PolicyCreateResponse { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Update Response
- `PolicyUpdateResponse { id, app_count, approval_groups, 15 more }`
- `id: optional string`
The UUID of the policy
- `app_count: optional number`
Number of access applications currently using this policy.
- `approval_groups: optional array of ApprovalGroup`
Administrators who can approve a temporary authentication request.
- `approvals_needed: number`
The number of approvals needed to obtain access.
- `email_addresses: optional array of string`
A list of emails that can approve the access request.
- `email_list_uuid: optional string`
The UUID of an re-usable email list.
- `approval_required: optional boolean`
Requires the user to request access from an administrator at the start of each session.
- `connection_rules: optional { rdp }`
The rules that define how users may connect to targets secured by your application.
- `rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }`
The RDP-specific rules that define clipboard behavior for RDP connections.
- `allowed_clipboard_local_to_remote_formats: optional array of "text"`
Clipboard formats allowed when copying from local machine to remote RDP session.
- `"text"`
- `allowed_clipboard_remote_to_local_formats: optional array of "text"`
Clipboard formats allowed when copying from remote RDP session to local machine.
- `"text"`
- `created_at: optional string`
- `decision: optional Decision`
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
- `"allow"`
- `"deny"`
- `"non_identity"`
- `"bypass"`
- `exclude: optional array of AccessRule`
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
- `GroupRule { group }`
Matches an Access group.
- `group: { id }`
- `id: string`
The ID of a previously created Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `any_valid_service_token: { }`
An empty object which matches on all service tokens.
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `auth_context: { id, ac_id, identity_provider_id }`
- `id: string`
The ID of an Authentication context.
- `ac_id: string`
The ACID of an Authentication context.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `auth_method: { auth_method }`
- `auth_method: string`
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `azureAD: { id, identity_provider_id }`
- `id: string`
The ID of an Azure group.
- `identity_provider_id: string`
The ID of your Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `certificate: { }`
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `common_name: { common_name }`
- `common_name: string`
The common name to match.
- `CountryRule { geo }`
Matches a specific country
- `geo: { country_code }`
- `country_code: string`
The country code that should be matched.
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `device_posture: { integration_uid }`
- `integration_uid: string`
The ID of a device posture integration.
- `DomainRule { email_domain }`
Match an entire email domain.
- `email_domain: { domain }`
- `domain: string`
The email domain to match.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `email_list: { id }`
- `id: string`
The ID of a previously created email list.
- `EmailRule { email }`
Matches a specific email.
- `email: { email }`
- `email: string`
The email of the user.
- `EveryoneRule { everyone }`
Matches everyone.
- `everyone: { }`
An empty object which matches on all users.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `external_evaluation: { evaluate_url, keys_url }`
- `evaluate_url: string`
The API endpoint containing your business logic.
- `keys_url: string`
The API endpoint containing the key that Access uses to verify that the response came from your API.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `"github-organization": { identity_provider_id, name, team }`
- `identity_provider_id: string`
The ID of your Github identity provider.
- `name: string`
The name of the organization.
- `team: optional string`
The name of the team
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `gsuite: { email, identity_provider_id }`
- `email: string`
The email of the Google Workspace group.
- `identity_provider_id: string`
The ID of your Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `login_method: { id }`
- `id: string`
The ID of an identity provider.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `ip_list: { id }`
- `id: string`
The ID of a previously created IP list.
- `IPRule { ip }`
Matches an IP address block.
- `ip: { ip }`
- `ip: string`
An IPv4 or IPv6 CIDR block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `okta: { identity_provider_id, name }`
- `identity_provider_id: string`
The ID of your Okta identity provider.
- `name: string`
The name of the Okta group.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `saml: { attribute_name, attribute_value, identity_provider_id }`
- `attribute_name: string`
The name of the SAML attribute.
- `attribute_value: string`
The SAML attribute value to look for.
- `identity_provider_id: string`
The ID of your SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `oidc: { claim_name, claim_value, identity_provider_id }`
- `claim_name: string`
The name of the OIDC claim.
- `claim_value: string`
The OIDC claim value to look for.
- `identity_provider_id: string`
The ID of your OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `service_token: { token_id }`
- `token_id: string`
The ID of a Service Token.
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `linked_app_token: { app_uid }`
- `app_uid: string`
The ID of an Access OIDC SaaS application
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `user_risk_score: { user_risk_score }`
- `user_risk_score: array of "low" or "medium" or "high" or "unscored"`
A list of risk score levels to match. Values can be low, medium, high, or unscored.
- `"low"`
- `"medium"`
- `"high"`
- `"unscored"`
- `include: optional array of AccessRule`
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `isolation_required: optional boolean`
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
- `mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }`
Configures multi-factor authentication (MFA) settings.
- `allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"`
Lists the MFA methods that users can authenticate with.
- `"totp"`
- `"biometrics"`
- `"security_key"`
- `mfa_disabled: optional boolean`
Indicates whether to disable MFA for this resource. This option is available at the application and policy level.
- `session_duration: optional string`
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`.
- `name: optional string`
The name of the Access policy.
- `purpose_justification_prompt: optional string`
A custom message that will appear on the purpose justification screen.
- `purpose_justification_required: optional boolean`
Require users to enter a justification when they log in to the application.
- `require: optional array of AccessRule`
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
- `GroupRule { group }`
Matches an Access group.
- `AnyValidServiceTokenRule { any_valid_service_token }`
Matches any valid Access Service Token
- `AccessAuthContextRule { auth_context }`
Matches an Azure Authentication Context.
Requires an Azure identity provider.
- `AuthenticationMethodRule { auth_method }`
Enforce different MFA options
- `AzureGroupRule { azureAD }`
Matches an Azure group.
Requires an Azure identity provider.
- `CertificateRule { certificate }`
Matches any valid client certificate.
- `AccessCommonNameRule { common_name }`
Matches a specific common name.
- `CountryRule { geo }`
Matches a specific country
- `AccessDevicePostureRule { device_posture }`
Enforces a device posture rule has run successfully
- `DomainRule { email_domain }`
Match an entire email domain.
- `EmailListRule { email_list }`
Matches an email address from a list.
- `EmailRule { email }`
Matches a specific email.
- `EveryoneRule { everyone }`
Matches everyone.
- `ExternalEvaluationRule { external_evaluation }`
Create Allow or Block policies which evaluate the user based on custom criteria.
- `GitHubOrganizationRule { "github-organization" }`
Matches a Github organization.
Requires a Github identity provider.
- `GSuiteGroupRule { gsuite }`
Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
- `AccessLoginMethodRule { login_method }`
Matches a specific identity provider id.
- `IPListRule { ip_list }`
Matches an IP address from a list.
- `IPRule { ip }`
Matches an IP address block.
- `OktaGroupRule { okta }`
Matches an Okta group.
Requires an Okta identity provider.
- `SAMLGroupRule { saml }`
Matches a SAML group.
Requires a SAML identity provider.
- `AccessOIDCClaimRule { oidc }`
Matches an OIDC claim.
Requires an OIDC identity provider.
- `ServiceTokenRule { service_token }`
Matches a specific Access Service Token
- `AccessLinkedAppTokenRule { linked_app_token }`
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
- `AccessUserRiskScoreRule { user_risk_score }`
Matches a user's risk score.
- `reusable: optional true`
- `true`
- `session_duration: optional string`
The amount of time that tokens issued for the application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h.
- `updated_at: optional string`
### Policy Delete Response
- `PolicyDeleteResponse { id }`
- `id: optional string`
The UUID of the policy