Cloudflare Docs
Visit Cloudflare Zero Trust on GitHub
Set theme to dark (⇧+D)


Each client supports the following set of parameters as part of their deployment, regardless of the deployment mechanism.

Required for full Cloudflare One features

For the vast majority of Cloudflare Zero Trust features to work, you need to specify a team name. Examples of Cloudflare Zero Trust features depending on the team name are HTTP policies , Browser Isolation , and device posture .


FieldValue Type

Description. Instructs the client to register device with your organization. Registration requires authentication via an IDP or Service Auth .

Value: Your team name .

Required field for DNS only policy enforcement

This field is only required to enforce DNS policies when deploying the client in DoH-only mode.


FieldValue Type

Description. Instructs the client to direct all DNS queries to a specific policy location. This value is only necessary if deploying without a team name or in an organization with multiple policy locations.

Value: Your DoH subdomain .

Optional fields


FieldValue Type

Description. Allows you to choose the operational mode of the client.


  • 1dot1 Gateway enforcement of DNS policies only through DoH . All other traffic is handled by your devices default mechanisms
  • warp [default value] All traffic sent through Cloudflare Gateway via our encrypted tunnel. This mode is required for features such as HTTP policies, Browser Isolation, identity-based rules, or device posture.

New service modes such as Proxy only are not supported as a value and must be configured in the Zero Trust dashboard.


FieldValue Type

Description. Controls the visibility of the onboarding screens that ask the user to review the privacy policy during an application’s first launch.


  • false Screens hidden.
  • true [default value] Screen visible.


FieldValue Type

Description. Allows the user to control the connected state of the application (main toggle switch).


  • false [default value] The user is able to turn switch on/off at their discretion. When the switch is off, the user will not have the ability to reach sites protected by Access that leverage certain device posture checks.
  • true The user is prevented from turning off the switch.

On new deployments, you must also include the auto_connect parameter with at least a value of 0. This will prevent clients from being deployed in the off state without a way for users to manually enable them.


FieldValue Type

Description. If switch has been turned off by user the client will automatically turn itself back on after the specified number of minutes. We recommend keeping this set to a very low value, usually just enough time for a user to login to hotel or airport wifi.


  • 0 Allow the switch to stay in the off position indefinitely until the user turns it back on.
  • 1-1440 Turn switch back on automatically after the specified number of minutes.


FieldValue Type

Description. When the WARP client is deployed via MDM, the in-app Send Feedback button is disabled by default. This parameter allows you to re-enable the button and direct it towards your organization.


  • Use an https:// link to open your companies internal help site.
  • mailto:[email protected] Use a mailto: link to open your default mail client.

Authentication with service tokens

Instead of requiring users to authenticate with their credentials, you can deploy the WARP client with a pre-generated Service Token .

Both a auth_client_id and auth_client_secret are required when using this authentication method.


FieldValue Type

Description. The automatically generated ID when you created your Service Token .

Value: Client ID from your service token.


FieldValue Type

Description. The automatically generated secret when you created your Service Token .

Value: Client Secret from your service token.

Frequently Asked Questions

  • What happens if I don’t supply a Gateway DoH subdomain? If you specify an organization we will automatically use the default location specified in Gateway.

  • How do I obtain logs in the event of an issue with client? The macOS and Windows clients installations each contain an application in their installed folders called warp-diag that can be used to obtain logs.