Gateway
Get Zero Trust account information
Create Zero Trust account
ModelsExpand Collapse
GatewayAudit SSH Settings
Get Zero Trust SSH settings
Update Zero Trust SSH settings
Rotate Zero Trust SSH account seed
ModelsExpand Collapse
GatewaySettings { created_at, public_key, seed_id, updated_at }
Provide the Base64-encoded HPKE public key that encrypts SSH session logs. See https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/#enable-ssh-command-logging.
GatewayCategories
List categories
ModelsExpand Collapse
Category { id, beta, class, 3 more }
class: optional "free" or "premium" or "blocked" or 2 moreSpecify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.
Specify which account types can create policies for this category. blocked Blocks unconditionally for all accounts. removalPending Allows removal from policies but disables addition. noBlock Prevents blocking.
subcategories: optional array of { id, beta, class, 2 more } Provide all subcategories for this category.
Provide all subcategories for this category.
GatewayApp Types
List application and application type mappings
ModelsExpand Collapse
AppType = { id, application_type_id, created_at, name } or { id, created_at, description, name }
ZeroTrustGatewayApplication { id, application_type_id, created_at, name }
GatewayConfigurations
Get Zero Trust account configuration
Update Zero Trust account configuration
Patch Zero Trust account configuration
ModelsExpand Collapse
BlockPageSettings { background_color, enabled, footer_text, 12 more } Specify block page layout settings.
Specify block page layout settings.
Specify the block page background color in #rrggbb format when the mode is customized_block_page.
Specify the block page footer text when the mode is customized_block_page.
Specify the block page header text when the mode is customized_block_page.
Specify whether to append context to target_uri as query parameters. This applies only when the mode is redirect_uri.
Specify the full URL to the logo file when the mode is customized_block_page.
Specify the admin email for users to contact when the mode is customized_block_page.
Specify the subject line for emails created from the block page when the mode is customized_block_page.
mode: optional "" or "customized_block_page" or "redirect_uri"Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.
Specify whether to redirect users to a Cloudflare-hosted block page or a customer-provided URI.
Indicate that this setting was shared via the Orgs API and read only for the current account.
Specify whether to suppress detailed information at the bottom of the block page when the mode is customized_block_page.
ExtendedEmailMatching { enabled, read_only, source_account, version } Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.
Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.
GatewayConfigurationSettings { activity_log, antivirus, block_page, 11 more } Specify account settings.
Specify account settings.
Specify anti-virus settings.
Specify Clientless Browser Isolation settings.
certificate: optional { id } Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.
Specify certificate settings for Gateway TLS interception. If unset, the Cloudflare Root CA handles interception.
Specify custom certificate settings for BYO-PKI. This field is deprecated; use certificate instead.
Configures user email settings for firewall policies. When you enable this, the system standardizes email addresses in the identity portion of the rule to match extended email variants in firewall policies. When you disable this setting, the system matches email addresses exactly as you provide them. Enable this setting if your email uses . or + modifiers.
inspection: optional { mode } Define the proxy inspection mode.
Define the proxy inspection mode.
mode: optional "static" or "dynamic"Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.
Define the proxy inspection mode. 1. static: Gateway applies static inspection to HTTP on TCP(80). With TLS decryption on, Gateway inspects HTTPS traffic on TCP(443) and UDP(443). 2. dynamic: Gateway applies protocol detection to inspect HTTP and HTTPS traffic on any port. TLS decryption must remain on to inspect HTTPS traffic.
GatewayConfigurationsCustom Certificate
Get Zero Trust certificate configuration
GatewayLists
List Zero Trust lists
Get Zero Trust list details
Create Zero Trust list
Update Zero Trust list
Patch Zero Trust list.
Delete Zero Trust list
ModelsExpand Collapse
GatewayListsItems
Get Zero Trust list items
GatewayLocations
List Zero Trust Gateway locations
Get Zero Trust Gateway location details
Create a Zero Trust Gateway location
Update a Zero Trust Gateway location
Delete a Zero Trust Gateway location
ModelsExpand Collapse
Location { id, client_default, created_at, 11 more }
Indicate the identifier of the pair of IPv4 addresses assigned to this location.
Specify the UUID of the IPv6 block brought to the gateway so that this location’s IPv6 address is allocated from the Bring Your Own IPv6 (BYOIPv6) block rather than the standard Cloudflare IPv6 block.
Specify the DNS over HTTPS domain that receives DNS requests. Gateway automatically generates this value.
Defines the automatically generated IPv6 destination IP assigned to this location. Gateway counts all DNS requests sent to this IP as requests under this location.
Show the primary destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.
Show the backup destination IPv4 address from the pair identified dns_destination_ips_id. This field read-only.
GatewayLogging
Get logging settings for the Zero Trust account
Update Zero Trust account logging settings
ModelsExpand Collapse
LoggingSetting { redact_pii, settings_by_rule_type }
Indicate whether to redact personally identifiable information from activity logging (PII fields include source IP, user email, user ID, device ID, URL, referrer, and user agent).
GatewayProxy Endpoints
List proxy endpoints
Get a proxy endpoint
Create a proxy endpoint
Update a proxy endpoint
Delete a proxy endpoint
GatewayRules
List Zero Trust Gateway rules
Get Zero Trust Gateway rule details.
Create a Zero Trust Gateway rule
Update a Zero Trust Gateway rule
Delete a Zero Trust Gateway rule
List Zero Trust Gateway rules inherited from the parent account
Reset the expiration of a Zero Trust Gateway Rule
ModelsExpand Collapse
DNSResolverSettingsV4 { ip, port, route_through_private_network, vnet_id }
DNSResolverSettingsV6 { ip, port, route_through_private_network, vnet_id }
GatewayRule { action, enabled, filters, 18 more }
action: "on" or "off" or "allow" or 13 moreSpecify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.
Specify the action to perform when the associated traffic, identity, and device posture expressions either absent or evaluate to true.
Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.
Specify the protocol or layer to evaluate the traffic, identity, and device posture expressions. Can only contain a single value.
Set the order of your rules. Lower values indicate higher precedence. At each processing phase, evaluate applicable rules in ascending order of this value. Refer to Order of enforcement to manage precedence via Terraform.
Specify the wirefilter expression used for traffic matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
Specify the wirefilter expression used for device posture check. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
expiration: optional { expires_at, duration, expired } Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy’s schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.
Defines the expiration time stamp and default duration of a DNS policy. Takes precedence over the policy’s schedule configuration, if any. This does not apply to HTTP or network policies. Settable only for dns rules.
Show the timestamp when the policy expires and stops applying. The value must follow RFC 3339 and include a UTC offset. The system accepts non-zero offsets but converts them to the equivalent UTC+00:00 value and returns timestamps with a trailing Z. Expiration policies ignore client timezones and expire globally at the specified expires_at time.
Specify the wirefilter expression used for identity matching. The API automatically formats and sanitizes expressions before storing them. To prevent Terraform state drift, use the formatted expression returned in the API response.
Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
RuleSetting { add_headers, allow_child_bypass, audit_ssh, 23 more } Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
Defines settings for this rule. Settings apply only to specific rule types and must use compatible selectors. If Terraform detects drift, confirm the setting supports your rule type and check whether the API modifies the value. Use API-returned values in your configuration to prevent drift.
Add custom headers to allowed requests as key-value pairs. Use header names as keys that map to arrays of header values. Settable only for http rules with the action set to allow.
Set to enable MSP children to bypass this rule. Only parent MSP accounts can set this. this rule. Settable for all types of rules.
audit_ssh: optional { command_logging } Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.
Define the settings for the Audit SSH action. Settable only for l4 rules with audit_ssh action.
biso_admin_controls: optional { copy, dcp, dd, 9 more } Configure browser isolation behavior. Settable only for http rules with the action set to isolate.
Configure browser isolation behavior. Settable only for http rules with the action set to isolate.
copy: optional "enabled" or "disabled" or "remote_only"Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == “v2”.
Configure copy behavior. If set to remote_only, users cannot copy isolated content from the remote browser to the local clipboard. If this field is absent, copying remains enabled. Applies only when version == “v2”.
download: optional "enabled" or "disabled" or "remote_only"Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == “v2”.
Configure download behavior. When set to remote_only, users can view downloads but cannot save them. Applies only when version == “v2”.
keyboard: optional "enabled" or "disabled"Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == “v2”.
Configure keyboard usage behavior. If this field is absent, keyboard usage remains enabled. Applies only when version == “v2”.
paste: optional "enabled" or "disabled" or "remote_only"Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == “v2”.
Configure paste behavior. If set to remote_only, users cannot paste content from the local clipboard into isolated pages. If this field is absent, pasting remains enabled. Applies only when version == “v2”.
printing: optional "enabled" or "disabled"Configure print behavior. Default, Printing is enabled. Applies only when version == “v2”.
Configure print behavior. Default, Printing is enabled. Applies only when version == “v2”.
block_page: optional { target_uri, include_context } Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.
Configure custom block page settings. If missing or null, use the account settings. Settable only for http rules with the action set to block.
Enable the custom block page. Settable only for dns rules with action block.
Explain why the rule blocks the request. The custom block page shows this text (if enabled). Settable only for dns, l4, and http rules when the action set to block.
Set to enable MSP accounts to bypass their parent’s rules. Only MSP child accounts can set this. Settable for all types of rules.
check_session: optional { duration, enforce } Configure session check behavior. Settable only for l4 and http rules with the action set to allow.
Configure session check behavior. Settable only for l4 and http rules with the action set to allow.
dns_resolvers: optional { ipv4, ipv6 } Configure custom resolvers to route queries that match the resolver policy. Unused with ‘resolve_dns_through_cloudflare’ or ‘resolve_dns_internally’ settings. DNS queries get routed to the address closest to their origin. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Configure custom resolvers to route queries that match the resolver policy. Unused with ‘resolve_dns_through_cloudflare’ or ‘resolve_dns_internally’ settings. DNS queries get routed to the address closest to their origin. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
egress: optional { ipv4, ipv4_fallback, ipv6 } Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.
Configure how Gateway Proxy traffic egresses. You can enable this setting for rules with Egress actions and filters, or omit it to indicate local egress via WARP IPs. Settable only for egress rules.
forensic_copy: optional { enabled } Configure whether a copy of the HTTP request will be sent to storage when the rule matches.
Configure whether a copy of the HTTP request will be sent to storage when the rule matches.
Ignore category matches at CNAME domains in a response. When off, evaluate categories in this rule against all CNAME domain categories in the response. Settable only for dns and dns_resolver rules.
Specify whether to disable DNSSEC validation (for Allow actions) [INSECURE]. Settable only for dns rules.
Enable IPs in DNS resolver category blocks. The system blocks only domain name categories unless you enable this setting. Settable only for dns and dns_resolver rules.
Indicates whether to include IPs in DNS resolver indicator feed blocks. Default, indicator feeds block only domain names. Settable only for dns and dns_resolver rules.
l4override: optional { ip, port } Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.
Send matching traffic to the supplied destination IP address and port. Settable only for l4 rules with the action set to l4_override.
notification_settings: optional { enabled, include_context, msg, support_url } Configure a notification to display on the user’s device when this rule matched. Settable for all types of rules with the action set to block.
Configure a notification to display on the user’s device when this rule matched. Settable for all types of rules with the action set to block.
Defines a hostname for override, for the matching DNS queries. Settable only for dns rules with the action set to override.
Defines a an IP or set of IPs for overriding matched DNS queries. Settable only for dns rules with the action set to override.
quarantine: optional { file_types } Configure settings that apply to quarantine rules. Settable only for http rules.
Configure settings that apply to quarantine rules. Settable only for http rules.
redirect: optional { target_uri, include_context, preserve_path_and_query } Apply settings to redirect rules. Settable only for http rules with the action set to redirect.
Apply settings to redirect rules. Settable only for http rules with the action set to redirect.
resolve_dns_internally: optional { fallback, view_id } Configure to forward the query to the internal DNS service, passing the specified ‘view_id’ as input. Not used when ‘dns_resolvers’ is specified or ‘resolve_dns_through_cloudflare’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Configure to forward the query to the internal DNS service, passing the specified ‘view_id’ as input. Not used when ‘dns_resolvers’ is specified or ‘resolve_dns_through_cloudflare’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Enable to send queries that match the policy to Cloudflare’s default 1.1.1.1 DNS resolver. Cannot set when ‘dns_resolvers’ specified or ‘resolve_dns_internally’ is set. Only valid when a rule’s action set to ‘resolve’. Settable only for dns_resolver rules.
Schedule { fri, mon, sat, 5 more } Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.
Defines the schedule for activating DNS policies. Settable only for dns and dns_resolver rules.
Specify the time intervals when the rule is active on Fridays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Fridays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Mondays, in the increasing order from 00:00-24:00(capped at maximum of 6 time splits). If this parameter omitted, the rule is deactivated on Mondays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Saturdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Saturdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Sundays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Sundays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Thursdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Thursdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time zone for rule evaluation. When a valid time zone city name is provided, Gateway always uses the current time for that time zone. When this parameter is omitted, Gateway uses the time zone determined from the user’s IP address. Colo time zone is used when the user’s IP address does not resolve to a location.
Specify the time intervals when the rule is active on Tuesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Tuesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
Specify the time intervals when the rule is active on Wednesdays, in the increasing order from 00:00-24:00. If this parameter omitted, the rule is deactivated on Wednesdays. API returns a formatted version of this string, which may cause Terraform drift if a unformatted value is used.
GatewayCertificates
List Zero Trust certificates
Get Zero Trust certificate details
Create Zero Trust certificate
Delete Zero Trust certificate
Activate a Zero Trust certificate
Deactivate a Zero Trust certificate
ModelsExpand Collapse
CertificateListResponse { id, binding_status, certificate, 9 more }
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).
CertificateGetResponse { id, binding_status, certificate, 9 more }
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).
CertificateCreateResponse { id, binding_status, certificate, 9 more }
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).
CertificateDeleteResponse { id, binding_status, certificate, 9 more }
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).
CertificateActivateResponse { id, binding_status, certificate, 9 more }
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).
CertificateDeactivateResponse { id, binding_status, certificate, 9 more }
binding_status: optional "pending_deployment" or "available" or "pending_deletion" or "inactive"Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate the read-only deployment status of the certificate on Cloudflare’s edge. Gateway TLS interception can use certificates in the ‘available’ (previously called ‘active’) state.
Indicate whether Gateway TLS interception uses this certificate (read-only). You cannot set this value directly. To configure interception, use the Gateway configuration setting named certificate (read-only).