Get an Access reusable policy

GET/accounts/{account_id}/access/policies/{policy_id}

Fetches a single Access reusable policy.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Apps and Policies WriteAccess: Apps and Policies Read

Path ParametersExpand Collapse

account_id: string

Identifier.

maxLength32

policy_id: string

The UUID of the policy

maxLength36

ReturnsExpand Collapse

errors: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

messages: array of { code, message, documentation_url, source }

code: number

minimum1000

message: string

documentation_url: optional string

source: optional { pointer }

pointer: optional string

success: true

Whether the API call was successful.

result: optional { id, app_count, approval_groups, 15 more }

id: optional string

The UUID of the policy

maxLength36

app_count: optional number

Number of access applications currently using this policy.

approval_groups: optional array of ApprovalGroup { approvals_needed, email_addresses, email_list_uuid }

Administrators who can approve a temporary authentication request.

approvals_needed: number

The number of approvals needed to obtain access.

minimum0

email_addresses: optional array of string

A list of emails that can approve the access request.

email_list_uuid: optional string

The UUID of an re-usable email list.

approval_required: optional boolean

Requires the user to request access from an administrator at the start of each session.

connection_rules: optional { rdp }

The rules that define how users may connect to targets secured by your application.

rdp: optional { allowed_clipboard_local_to_remote_formats, allowed_clipboard_remote_to_local_formats }

The RDP-specific rules that define clipboard behavior for RDP connections.

allowed_clipboard_local_to_remote_formats: optional array of "text"

Clipboard formats allowed when copying from local machine to remote RDP session.

allowed_clipboard_remote_to_local_formats: optional array of "text"

Clipboard formats allowed when copying from remote RDP session to local machine.

created_at: optional string

formatdate-time

decision: optional Decision

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

One of the following:

"allow"

"deny"

"non_identity"

"bypass"

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: { }

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: { }

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: { }

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { "github-organization" }

Matches a Github organization. Requires a Github identity provider.

"github-organization": { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team: optional string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: { user_risk_score }

user_risk_score: array of "low" or "medium" or "high" or "unscored"

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

include: optional array of AccessRule

Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: { }

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: { }

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: { }

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { "github-organization" }

Matches a Github organization. Requires a Github identity provider.

"github-organization": { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team: optional string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: { user_risk_score }

user_risk_score: array of "low" or "medium" or "high" or "unscored"

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

isolation_required: optional boolean

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

mfa_config: optional { allowed_authenticators, mfa_disabled, session_duration }

Configures multi-factor authentication (MFA) settings.

allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"

Lists the MFA methods that users can authenticate with.

One of the following:

"totp"

"biometrics"

"security_key"

mfa_disabled: optional boolean

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

session_duration: optional string

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

The name of the Access policy.

purpose_justification_prompt: optional string

A custom message that will appear on the purpose justification screen.

purpose_justification_required: optional boolean

Require users to enter a justification when they log in to the application.

require: optional array of AccessRule

Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.

One of the following:

GroupRule { group }

Matches an Access group.

group: { id }

id: string

The ID of a previously created Access group.

AnyValidServiceTokenRule { any_valid_service_token }

Matches any valid Access Service Token

any_valid_service_token: { }

An empty object which matches on all service tokens.

AccessAuthContextRule { auth_context }

Matches an Azure Authentication Context. Requires an Azure identity provider.

auth_context: { id, ac_id, identity_provider_id }

id: string

The ID of an Authentication context.

ac_id: string

The ACID of an Authentication context.

identity_provider_id: string

The ID of your Azure identity provider.

AuthenticationMethodRule { auth_method }

Enforce different MFA options

auth_method: { auth_method }

auth_method: string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

AzureGroupRule { azureAD }

Matches an Azure group. Requires an Azure identity provider.

azureAD: { id, identity_provider_id }

id: string

The ID of an Azure group.

identity_provider_id: string

The ID of your Azure identity provider.

CertificateRule { certificate }

Matches any valid client certificate.

certificate: { }

AccessCommonNameRule { common_name }

Matches a specific common name.

common_name: { common_name }

common_name: string

The common name to match.

CountryRule { geo }

Matches a specific country

geo: { country_code }

country_code: string

The country code that should be matched.

AccessDevicePostureRule { device_posture }

Enforces a device posture rule has run successfully

device_posture: { integration_uid }

integration_uid: string

The ID of a device posture integration.

DomainRule { email_domain }

Match an entire email domain.

email_domain: { domain }

domain: string

The email domain to match.

EmailListRule { email_list }

Matches an email address from a list.

email_list: { id }

id: string

The ID of a previously created email list.

EmailRule { email }

Matches a specific email.

email: { email }

email: string

The email of the user.

formatemail

EveryoneRule { everyone }

Matches everyone.

everyone: { }

An empty object which matches on all users.

ExternalEvaluationRule { external_evaluation }

Create Allow or Block policies which evaluate the user based on custom criteria.

external_evaluation: { evaluate_url, keys_url }

evaluate_url: string

The API endpoint containing your business logic.

keys_url: string

The API endpoint containing the key that Access uses to verify that the response came from your API.

GitHubOrganizationRule { "github-organization" }

Matches a Github organization. Requires a Github identity provider.

"github-organization": { identity_provider_id, name, team }

identity_provider_id: string

The ID of your Github identity provider.

The name of the organization.

team: optional string

The name of the team

GSuiteGroupRule { gsuite }

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

gsuite: { email, identity_provider_id }

email: string

The email of the Google Workspace group.

identity_provider_id: string

The ID of your Google Workspace identity provider.

AccessLoginMethodRule { login_method }

Matches a specific identity provider id.

login_method: { id }

id: string

The ID of an identity provider.

IPListRule { ip_list }

Matches an IP address from a list.

ip_list: { id }

id: string

The ID of a previously created IP list.

IPRule { ip }

Matches an IP address block.

ip: { ip }

ip: string

An IPv4 or IPv6 CIDR block.

OktaGroupRule { okta }

Matches an Okta group. Requires an Okta identity provider.

okta: { identity_provider_id, name }

identity_provider_id: string

The ID of your Okta identity provider.

The name of the Okta group.

SAMLGroupRule { saml }

Matches a SAML group. Requires a SAML identity provider.

saml: { attribute_name, attribute_value, identity_provider_id }

attribute_name: string

The name of the SAML attribute.

attribute_value: string

The SAML attribute value to look for.

identity_provider_id: string

The ID of your SAML identity provider.

AccessOIDCClaimRule { oidc }

Matches an OIDC claim. Requires an OIDC identity provider.

oidc: { claim_name, claim_value, identity_provider_id }

claim_name: string

The name of the OIDC claim.

claim_value: string

The OIDC claim value to look for.

identity_provider_id: string

The ID of your OIDC identity provider.

ServiceTokenRule { service_token }

Matches a specific Access Service Token

service_token: { token_id }

token_id: string

The ID of a Service Token.

AccessLinkedAppTokenRule { linked_app_token }

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

linked_app_token: { app_uid }

app_uid: string

The ID of an Access OIDC SaaS application

AccessUserRiskScoreRule { user_risk_score }

Matches a user’s risk score.

user_risk_score: { user_risk_score }

user_risk_score: array of "low" or "medium" or "high" or "unscored"

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

"low"

"medium"

"high"

"unscored"

reusable: optional true

session_duration: optional string

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

updated_at: optional string

formatdate-time

Get an Access reusable policy

curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/policies/$POLICY_ID \
    -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "app_count": 2,
    "approval_groups": [
      {
        "approvals_needed": 1,
        "email_addresses": [
          "test1@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "email_list_uuid"
      },
      {
        "approvals_needed": 3,
        "email_addresses": [
          "test@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
      }
    ],
    "approval_required": true,
    "connection_rules": {
      "rdp": {
        "allowed_clipboard_local_to_remote_formats": [
          "text"
        ],
        "allowed_clipboard_remote_to_local_formats": [
          "text"
        ]
      }
    },
    "created_at": "2014-01-01T05:20:00.12345Z",
    "decision": "allow",
    "exclude": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "include": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "isolation_required": false,
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "mfa_disabled": false,
      "session_duration": "24h"
    },
    "name": "Allow devs",
    "purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
    "purpose_justification_required": true,
    "require": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "reusable": true,
    "session_duration": "24h",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}

Returns Examples

{
  "errors": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "messages": [
    {
      "code": 1000,
      "message": "message",
      "documentation_url": "documentation_url",
      "source": {
        "pointer": "pointer"
      }
    }
  ],
  "success": true,
  "result": {
    "id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
    "app_count": 2,
    "approval_groups": [
      {
        "approvals_needed": 1,
        "email_addresses": [
          "test1@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "email_list_uuid"
      },
      {
        "approvals_needed": 3,
        "email_addresses": [
          "test@cloudflare.com",
          "test2@cloudflare.com"
        ],
        "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
      }
    ],
    "approval_required": true,
    "connection_rules": {
      "rdp": {
        "allowed_clipboard_local_to_remote_formats": [
          "text"
        ],
        "allowed_clipboard_remote_to_local_formats": [
          "text"
        ]
      }
    },
    "created_at": "2014-01-01T05:20:00.12345Z",
    "decision": "allow",
    "exclude": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "include": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "isolation_required": false,
    "mfa_config": {
      "allowed_authenticators": [
        "totp",
        "biometrics",
        "security_key"
      ],
      "mfa_disabled": false,
      "session_duration": "24h"
    },
    "name": "Allow devs",
    "purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
    "purpose_justification_required": true,
    "require": [
      {
        "group": {
          "id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
        }
      }
    ],
    "reusable": true,
    "session_duration": "24h",
    "updated_at": "2014-01-01T05:20:00.12345Z"
  }
}