Add an Access application
Adds a new application to Access.
Security
API Token
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYYAPI Email + API Key
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
X-Auth-Email: user@example.comThe previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194Accepted Permissions (at least one required)
Access: Apps and Policies WritePath ParametersExpand Collapse
Body ParametersJSONExpand Collapse
body: object { domain, type, allow_authenticate_via_warp, 28 more } or object { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more } or object { domain, type, allow_authenticate_via_warp, 28 more } or 10 moreContains the targets secured by the application.
Contains the targets secured by the application.
SelfHostedApplication = object { domain, type, allow_authenticate_via_warp, 28 more }
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
SaaSApplication = object { allowed_idps, app_launcher_visible, auto_redirect_to_identity, 8 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom pages that will be displayed when applicable for this application
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
saas_app: optional SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more } or OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }
SAMLSaaSApp = object { auth_type, consumer_service_url, custom_attributes, 8 more }
auth_type: optional "saml" or "oidc"Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
custom_attributes: optional array of object { friendly_name, name, name_format, 2 more }
The URL that the user will be redirected to after a successful login for IDP initiated logins.
A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
OIDCSaaSApp = object { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
auth_type: optional "saml" or "oidc"Identifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
custom_claims: optional array of object { name, required, scope, source }
grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 moreThe OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
hybrid_and_implicit_options: optional object { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
BrowserSSHApplication = object { domain, type, allow_authenticate_via_warp, 28 more }
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
BrowserVNCApplication = object { domain, type, allow_authenticate_via_warp, 28 more }
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
AppLauncherApplication = object { type, allowed_idps, app_launcher_logo_url, 13 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
landing_page_design: optional object { button_color, button_text_color, image_url, 2 more } The design of the App Launcher landing page shown to users when they log in.
The design of the App Launcher landing page shown to users when they log in.
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
DeviceEnrollmentPermissionsApplication = object { type, allowed_idps, auto_redirect_to_identity, 7 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
BrowserIsolationPermissionsApplication = object { type, allowed_idps, auto_redirect_to_identity, 7 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
GatewayIdentityProxyEndpointApplication = object { type, allowed_idps, auto_redirect_to_identity, 7 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
BookmarkApplication = object { app_launcher_visible, domain, logo_url, 4 more }
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
InfrastructureApplication = object { target_criteria, type, name, policies }
target_criteria: array of object { port, protocol, target_attributes }
policies: optional array of object { decision, include, name, 3 more } The policies that Access applies to the application.
The policies that Access applies to the application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
connection_rules: optional object { ssh } The rules that define how users may connect to the targets secured by your application.
The rules that define how users may connect to the targets secured by your application.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
BrowserRDPApplication = object { domain, target_criteria, type, 29 more } Contains the targets secured by the application.
Contains the targets secured by the application.
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
target_criteria: array of object { port, protocol, target_attributes }
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
McpServerApplication = object { type, allow_authenticate_via_warp, allowed_idps, 16 more }
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
McpServerPortalApplication = object { type, allow_authenticate_via_warp, allowed_idps, 17 more }
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
policies: optional array of object { id, precedence } or string or object { id, approval_groups, approval_required, 7 more } The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.
AccessAppPolicyLink = object { id, precedence } A JSON that links a reusable policy to an application.
A JSON that links a reusable policy to an application.
object { id, approval_groups, approval_required, 7 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
ReturnsExpand Collapse
result: optional object { domain, type, id, 30 more } or object { id, allowed_idps, app_launcher_visible, 10 more } or object { domain, type, id, 30 more } or 10 more
SelfHostedApplication = object { domain, type, id, 30 more }
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
SaaSApplication = object { id, allowed_idps, app_launcher_visible, 10 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom pages that will be displayed when applicable for this application
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
saas_app: optional SAMLSaaSApp { auth_type, consumer_service_url, custom_attributes, 8 more } or OIDCSaaSApp { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }
SAMLSaaSApp = object { auth_type, consumer_service_url, custom_attributes, 8 more }
auth_type: optional "saml" or "oidc"Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is "saml"
The service provider's endpoint that is responsible for receiving and parsing a SAML assertion.
custom_attributes: optional array of object { friendly_name, name, name_format, 2 more }
The URL that the user will be redirected to after a successful login for IDP initiated logins.
A JSONata expression that transforms an application's user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
A [JSONata] (https://jsonata.org/) expression that transforms an application's user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
OIDCSaaSApp = object { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 11 more }
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
auth_type: optional "saml" or "oidc"Identifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
custom_claims: optional array of object { name, required, scope, source }
grant_types: optional array of "authorization_code" or "authorization_code_with_pkce" or "refresh_tokens" or 2 moreThe OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
hybrid_and_implicit_options: optional object { return_access_token_from_authorization_endpoint, return_id_token_from_authorization_endpoint }
The permitted URL's for Cloudflare to return Authorization codes and Access/ID tokens
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
BrowserSSHApplication = object { domain, type, id, 30 more }
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
BrowserVNCApplication = object { domain, type, id, 30 more }
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
AppLauncherApplication = object { type, id, allowed_idps, 15 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
landing_page_design: optional object { button_color, button_text_color, image_url, 2 more } The design of the App Launcher landing page shown to users when they log in.
The design of the App Launcher landing page shown to users when they log in.
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
DeviceEnrollmentPermissionsApplication = object { type, id, allowed_idps, 9 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
BrowserIsolationPermissionsApplication = object { type, id, allowed_idps, 9 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
GatewayIdentityProxyEndpointApplication = object { type, id, allowed_idps, 9 more }
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
BookmarkApplication = object { id, app_launcher_visible, aud, 6 more }
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
InfrastructureApplication = object { target_criteria, type, id, 3 more }
target_criteria: array of object { port, protocol, target_attributes }
policies: optional array of object { id, connection_rules, created_at, 6 more }
connection_rules: optional object { ssh } The rules that define how users may connect to the targets secured by your application.
The rules that define how users may connect to the targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
BrowserRDPApplication = object { domain, target_criteria, type, 31 more }
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
target_criteria: array of object { port, protocol, target_attributes }
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
cors_headers: optional CORSHeaders { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
McpServerApplication = object { type, id, allow_authenticate_via_warp, 18 more }
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
McpServerPortalApplication = object { type, id, allow_authenticate_via_warp, 19 more }
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
destinations: optional array of object { type, uri } or object { cidr, hostname, l4_protocol, 3 more } or object { mcp_server_id, type } List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
PublicDestination = object { type, uri } A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard '*' can be used in the definition.
The URI of the destination. Public destinations' URIs can include a domain and path with wildcards.
PrivateDestination = object { cidr, hostname, l4_protocol, 3 more }
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
l4_protocol: optional "tcp" or "udp"The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
oauth_configuration: optional object { dynamic_client_registration, enabled, grant } Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
dynamic_client_registration: optional object { allow_any_on_localhost, allow_any_on_loopback, allowed_uris, enabled } Settings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
policies: optional array of object { id, approval_groups, approval_required, 14 more }
approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid } Administrators who can approve a temporary authentication request.
Administrators who can approve a temporary authentication request.
Requires the user to request access from an administrator at the start of each session.
connection_rules: optional object { rdp } The rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature.
mfa_config: optional object { allowed_authenticators, mfa_disabled, session_duration } Configures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
AnyValidServiceTokenRule = object { any_valid_service_token } Matches any valid Access Service Token
Matches any valid Access Service Token
AccessAuthContextRule = object { auth_context } Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
AuthenticationMethodRule = object { auth_method } Enforce different MFA options
Enforce different MFA options
auth_method: object { auth_method }
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
AccessDevicePostureRule = object { device_posture } Enforces a device posture rule has run successfully
Enforces a device posture rule has run successfully
ExternalEvaluationRule = object { external_evaluation } Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
GitHubOrganizationRule = object { "github-organization" } Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
GSuiteGroupRule = object { gsuite } Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
AccessLinkedAppTokenRule = object { linked_app_token } Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
scim_config: optional object { idp_uid, remote_uri, authentication, 3 more } Configuration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 moreAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigMultiAuthentication = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or SCIMConfigAuthenticationOAuthBearerToken { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme } Multiple authentication schemes
Multiple authentication schemes
SCIMConfigAuthenticationHTTPBasic = object { password, scheme, user } Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOAuthBearerToken = object { token, scheme } Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
SCIMConfigAuthenticationOauth2 = object { authorization_url, client_id, client_secret, 3 more } Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
AccessSCIMConfigAuthenticationAccessServiceToken = object { client_id, client_secret, scheme } Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets 'active' to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
operations: optional object { create, delete, update } Whether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
strictness: optional "strict" or "passthrough"The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Add an Access application
curl https://api.cloudflare.com/client/v4/$ACCOUNTS_OR_ZONES/$ACCOUNT_OR_ZONE_ID/access/apps \
-H 'Content-Type: application/json' \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-d '{
"domain": "test.example.com/admin",
"type": "self_hosted",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"app_launcher_visible": true,
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"port_range": "80-90",
"type": "private"
},
{
"cidr": "10.5.0.3/32",
"port_range": "80",
"type": "private"
},
{
"hostname": "private-sni.example.com",
"type": "private"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"name": "Admin Site",
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true
}'{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}Returns Examples
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
}
],
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"include": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"group": {
"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}