API Reference

Zero Trust

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Risk Scoring

Get risk event/score information for a specific user

GET/accounts/{account_id}/zt_risk_scoring/{user_id}

Clear the risk score for a particular user

POST/accounts/{account_id}/zt_risk_scoring/{user_id}/reset

ModelsExpand Collapse

RiskScoringGetResponse = object { email, events, name, 2 more }

email: string

events: array of object { id, name, risk_level, 2 more }

id: string

name: string

risk_level: "low" or "medium" or "high"

One of the following:

"low"

"medium"

"high"

timestamp: string

formatdate-time

event_details: optional unknown

name: string

last_reset_time: optional string

formatdate-time

risk_level: optional "low" or "medium" or "high"

One of the following:

"low"

"medium"

"high"

RiskScoringResetResponse = unknown

Risk ScoringBehaviours

Get all behaviors and associated configuration

GET/accounts/{account_id}/zt_risk_scoring/behaviors

Update configuration for risk behaviors

PUT/accounts/{account_id}/zt_risk_scoring/behaviors

ModelsExpand Collapse

BehaviourGetResponse = object { behaviors }

behaviors: map[object { description, enabled, name, risk_level } ]

description: string

enabled: boolean

name: string

risk_level: "low" or "medium" or "high"

One of the following:

"low"

"medium"

"high"

BehaviourUpdateResponse = object { behaviors }

behaviors: map[object { enabled, risk_level } ]

enabled: boolean

risk_level: "low" or "medium" or "high"

One of the following:

"low"

"medium"

"high"

Risk ScoringSummary

Get risk score info for all users in the account

GET/accounts/{account_id}/zt_risk_scoring/summary

ModelsExpand Collapse

SummaryGetResponse = object { users }

users: array of object { email, event_count, last_event, 3 more }

email: string

event_count: number

minimum0

last_event: string

formatdate-time

max_risk_level: "low" or "medium" or "high"

One of the following:

"low"

"medium"

"high"

name: string

user_id: string

formatuuid

Risk ScoringIntegrations

List all risk score integrations for the account.

GET/accounts/{account_id}/zt_risk_scoring/integrations

Get risk score integration by id.

GET/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Create new risk score integration.

POST/accounts/{account_id}/zt_risk_scoring/integrations

Update a risk score integration.

PUT/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

Delete a risk score integration.

DELETE/accounts/{account_id}/zt_risk_scoring/integrations/{integration_id}

ModelsExpand Collapse

IntegrationListResponse = object { id, account_tag, active, 5 more }

id: string

The id of the integration, a UUIDv4.

formatuuid

account_tag: string

The Cloudflare account tag.

active: boolean

Whether this integration is enabled and should export changes in risk score.

created_at: string

When the integration was created in RFC3339 format.

formatdate-time

integration_type: "Okta"

reference_id: string

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: string

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: string

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

IntegrationGetResponse = object { id, account_tag, active, 5 more }

id: string

The id of the integration, a UUIDv4.

formatuuid

account_tag: string

The Cloudflare account tag.

active: boolean

Whether this integration is enabled and should export changes in risk score.

created_at: string

When the integration was created in RFC3339 format.

formatdate-time

integration_type: "Okta"

reference_id: string

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: string

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: string

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

IntegrationCreateResponse = object { id, account_tag, active, 5 more }

id: string

The id of the integration, a UUIDv4.

formatuuid

account_tag: string

The Cloudflare account tag.

active: boolean

Whether this integration is enabled and should export changes in risk score.

created_at: string

When the integration was created in RFC3339 format.

formatdate-time

integration_type: "Okta"

reference_id: string

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: string

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: string

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

IntegrationUpdateResponse = object { id, account_tag, active, 5 more }

id: string

The id of the integration, a UUIDv4.

formatuuid

account_tag: string

The Cloudflare account tag.

active: boolean

Whether this integration is enabled and should export changes in risk score.

created_at: string

When the integration was created in RFC3339 format.

formatdate-time

integration_type: "Okta"

reference_id: string

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: string

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: string

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.

IntegrationDeleteResponse = unknown

Risk ScoringIntegrationsReferences

Get risk score integration by reference id.

GET/accounts/{account_id}/zt_risk_scoring/integrations/reference_id/{reference_id}

ModelsExpand Collapse

ReferenceGetResponse = object { id, account_tag, active, 5 more }

id: string

The id of the integration, a UUIDv4.

formatuuid

account_tag: string

The Cloudflare account tag.

active: boolean

Whether this integration is enabled and should export changes in risk score.

created_at: string

When the integration was created in RFC3339 format.

formatdate-time

integration_type: "Okta"

reference_id: string

A reference ID defined by the client. Should be set to the Access-Okta IDP integration ID. Useful when the risk-score integration needs to be associated with a secondary asset and recalled using that ID.

tenant_url: string

The base URL for the tenant. E.g. "https://tenant.okta.com".

well_known_url: string

The URL for the Shared Signals Framework configuration, e.g. "/.well-known/sse-configuration/{integration_uuid}/". https://openid.net/specs/openid-sse-framework-1_0.html#rfc.section.6.2.1.