Organizations

Get your Zero Trust organization

GET/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Create your Zero Trust organization

POST/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Update your Zero Trust organization

PUT/{accounts_or_zones}/{account_or_zone_id}/access/organizations

Revoke all Access tokens for a user

POST/{accounts_or_zones}/{account_or_zone_id}/access/organizations/revoke_user

ModelsExpand Collapse

LoginDesign = object { background_color, footer_text, header_text, 2 more }

background_color: optional string

The background color on your login page.

footer_text: optional string

The text at the bottom of your login page.

header_text: optional string

The text at the top of your login page.

logo_path: optional string

The URL of the logo on your login page.

text_color: optional string

The text color on your login page.

Organization = object { allow_authenticate_via_warp, auth_domain, auto_redirect_to_identity, 12 more }

allow_authenticate_via_warp: optional boolean

When set to true, users can authenticate via WARP for any application in your organization. Application settings will take precedence over this value.

auth_domain: optional string

The unique subdomain assigned to your Zero Trust organization.

auto_redirect_to_identity: optional boolean

When set to true, users skip the identity provider selection step during login.

custom_pages: optional object { forbidden, identity_denied }

forbidden: optional string

The uid of the custom page to use when a user is denied access after failing a non-identity rule.

identity_denied: optional string

The uid of the custom page to use when a user is denied access.

deny_unmatched_requests: optional boolean

Determines whether to deny all requests to Cloudflare-protected resources that lack an associated Access application. If enabled, you must explicitly configure an Access application and policy to allow traffic to your Cloudflare-protected resources. For domains you want to be public across all subdomains, add the domain to the deny_unmatched_requests_exempted_zone_names array.

deny_unmatched_requests_exempted_zone_names: optional array of string

Contains zone names to exempt from the deny_unmatched_requests feature. Requests to a subdomain in an exempted zone will block unauthenticated traffic by default if there is a configured Access application and policy that matches the request.

is_ui_read_only: optional boolean

Lock all settings as Read-Only in the Dashboard, regardless of user permission. Updates may only be made via the API or Terraform for this account when enabled.

login_design: optional LoginDesign { background_color, footer_text, header_text, 2 more }

mfa_config: optional object { allowed_authenticators, session_duration }

Configures multi-factor authentication (MFA) settings for an organization.

allowed_authenticators: optional array of "totp" or "biometrics" or "security_key"

Lists the MFA methods that users can authenticate with.

One of the following:

"totp"

"biometrics"

"security_key"

session_duration: optional string

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

mfa_required_for_all_apps: optional boolean

Determines whether global MFA settings apply to applications by default. The organization must have MFA enabled with at least one authentication method and a session duration configured.

The name of your Zero Trust organization.

session_duration: optional string

The amount of time that tokens issued for applications will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ui_read_only_toggle_reason: optional string

A description of the reason why the UI read only field is being toggled.

user_seat_expiration_inactive_time: optional string

The amount of time a user seat is inactive before it expires. When the user seat exceeds the set time of inactivity, the user is removed as an active seat and no longer counts against your Teams seat count. Minimum value for this setting is 1 month (730h). Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

warp_auth_session_duration: optional string

The amount of time that tokens issued for applications will be valid. Must be in the format 30m or 2h45m. Valid time units are: m, h.

OrganizationRevokeUsersResponse = true or false

One of the following:

true

false

OrganizationsDOH

Get your Zero Trust organization DoH settings

GET/accounts/{account_id}/access/organizations/doh

Update your Zero Trust organization DoH settings

PUT/accounts/{account_id}/access/organizations/doh

ModelsExpand Collapse

DOHGetResponse = object { id, client_id, doh_jwt_duration, 3 more }

id: optional string

The ID of the service token.

maxLength36

client_id: optional string

The Client ID for the service token. Access will check for this value in the CF-Access-Client-ID request header.

doh_jwt_duration: optional string

The duration the DoH JWT is valid for. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note that the maximum duration for this setting is the same as the key rotation period on the account.

duration: optional string

The duration for how long the service token will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h).

expires_at: optional string

formatdate-time

The name of the service token.

DOHUpdateResponse = object { id, client_id, doh_jwt_duration, 3 more }