Zero Trust
zero_trust
Access
zero_trust.access
Domain types
Enforces a device posture rule has run successfully
Matches an Access group.
Matches any valid Access Service Token
Enforce different MFA options
Matches an Azure group. Requires an Azure identity provider.
Matches any valid client certificate.
Matches a specific country
Match an entire email domain.
Matches an email address from a list.
Matches a specific email.
Matches everyone.
Create Allow or Block policies which evaluate the user based on custom criteria.
Matches a Github organization. Requires a Github identity provider.
Matches an Access group.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
Matches an IP address from a list.
Matches an IP address block.
Matches an Okta group. Requires an Okta identity provider.
Matches a SAML group. Requires a SAML identity provider.
Matches a specific Access Service Token
zero_trust.access.applications
Methods
Adds a new application to Access.
Deletes an application from Access.
Fetches information about an Access application.
Lists all Access applications in an account or zone.
Revokes all tokens issued for an application.
Updates an Access application.
Domain types
The identity providers selected for application.
Identifier
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The application type.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The format of the name identifier sent to the SaaS application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Transformations and filters applied to resources before they are provisioned in the remote SCIM service.
A domain that Access will secure.
zero_trust.access.applications.cas
Methods
Generates a new short-lived certificate CA and public key.
Deletes a short-lived certificate CA.
Fetches a short-lived certificate CA and its public key.
Lists short-lived certificate CAs and their public keys.
Domain types
zero_trust.access.applications.policies
Methods
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
Deletes an Access policy specific to an application. To delete a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
Fetches a single Access policy configured for an application. Returns both exclusively owned and reusable policies used by the application.
Lists Access policies configured for an application. Returns both exclusively scoped and reusable policies used by the application.
Updates an Access policy specific to an application. To update a reusable policy, use the /account or zones/{account or zone_id}/policies/{uid} endpoint.
zero_trust.access.applications.policy_tests
Methods
Starts an Access policy test.
Fetches the current status of a given Access policy test.
zero_trust.access.applications.policy_tests.users
Methods
Fetches a single page of user results from an Access policy test.
zero_trust.access.applications.user_policy_checks
Methods
Tests if a specific user has permission to access an application.
Domain types
zero_trust.access.bookmarks
Methods
Create a new Bookmark application.
Deletes a Bookmark application.
Fetches a single Bookmark application.
Lists Bookmark applications.
Updates a configured Bookmark application.
Domain types
zero_trust.access.certificates
Methods
Adds a new mTLS root certificate to Access.
Deletes an mTLS certificate.
Fetches a single mTLS certificate.
Lists all mTLS root certificates.
Updates a configured mTLS certificate.
Domain types
A fully-qualified domain name (FQDN).
zero_trust.access.certificates.settings
Methods
List all mTLS hostname settings for this account or zone.
Updates an mTLS certificate's hostname settings.
Domain types
zero_trust.access.custom_pages
Methods
Create a custom page
Delete a custom page
Fetches a custom page and also returns its HTML.
List custom pages
Update a custom page
Domain types
zero_trust.access.gateway_ca
Methods
Adds a new SSH Certificate Authority (CA).
Deletes an SSH Certificate Authority.
Lists SSH Certificate Authorities (CA).
zero_trust.access.groups
Methods
Creates a new Access group.
Deletes an Access group.
Fetches a single Access group.
Lists all Access groups.
Updates a configured Access group.
Domain types
zero_trust.access.infrastructure
zero_trust.access.infrastructure.targets
Methods
Removes one or more targets.
Adds one or more targets.
Create new target
Delete target
Get target
Lists and sorts an account’s targets. Filters are optional and are ANDed together.
Update target
zero_trust.access.keys
Methods
Gets the Access key rotation settings for an account.
Perfoms a key rotation for an account.
Updates the Access key rotation settings for an account.
zero_trust.access.logs
zero_trust.access.logs.access_requests
Methods
Gets a list of Access authentication audit logs for an account.
Domain types
zero_trust.access.policies
Methods
Creates a new Access reusable policy.
Deletes an Access reusable policy.
Fetches a single Access reusable policy.
Lists Access reusable policies.
Updates a Access reusable policy.
Domain types
A group of email addresses that can approve a temporary authentication request.
zero_trust.access.service_tokens
Methods
Generates a new service token. Note: This is the only time you can get the Client Secret. If you lose the Client Secret, you will have to rotate the Client Secret or create a new service token.
Deletes a service token.
Fetches a single service token.
Lists all service tokens.
Refreshes the expiration of a service token.
Generates a new Client Secret for a service token and revokes the old one.
Updates a configured service token.
Domain types
zero_trust.access.users
Methods
Gets a list of users for an account.
Domain types
zero_trust.access.users.active_sessions
Methods
Get an active session for a single user.
Get active sessions for a single user.
zero_trust.access.users.failed_logins
Methods
Get all failed login attempts for a single user.
zero_trust.access.users.last_seen_identity
Methods
Get last seen identity for a single user.
Domain types
Connectivity Settings
zero_trust.connectivity_settings
Methods
Updates the Zero Trust Connectivity Settings for the given account.
Gets the Zero Trust Connectivity Settings for the given account.
Devices
zero_trust.devices
Methods
Fetches details for a single device.
Fetches a list of enrolled devices.
Domain types
zero_trust.devices.dex_tests
Methods
Create a DEX test.
Delete a Device DEX test. Returns the remaining device dex tests for the account.
Fetch a single DEX test.
Fetch all DEX tests.
Update a DEX test.
Domain types
The configuration object which contains the details for the WARP client to conduct the test.
zero_trust.devices.fleet_status
Methods
Get the live status of a latest device given device_id from the device_state table
zero_trust.devices.networks
Methods
Creates a new device managed network.
Deletes a device managed network and fetches a list of the remaining device managed networks for an account.
Fetches details for a single managed network.
Fetches a list of managed networks for an account.
Updates a configured device managed network.
Domain types
zero_trust.devices.override_codes
Methods
Fetches a one-time use admin override code for a device. This relies on the Admin Override setting being enabled in your device configuration.
zero_trust.devices.policies
Domain types
zero_trust.devices.policies.custom
Methods
Creates a device settings profile to be applied to certain devices matching the criteria.
Deletes a device settings profile and fetches a list of the remaining profiles for an account.
Updates a configured device settings profile.
Fetches a device settings profile by ID.
Fetches a list of the device settings profiles for an account.
zero_trust.devices.policies.custom.excludes
Methods
Fetches the list of routes excluded from the WARP client's tunnel for a specific device settings profile.
Sets the list of routes excluded from the WARP client's tunnel for a specific device settings profile.
zero_trust.devices.policies.custom.fallback_domains
Methods
Fetches the list of domains to bypass Gateway DNS resolution from a specified device settings profile. These domains will use the specified local DNS resolver instead.
Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead. This will only apply to the specified device settings profile.
zero_trust.devices.policies.custom.includes
Methods
Fetches the list of routes included in the WARP client's tunnel for a specific device settings profile.
Sets the list of routes included in the WARP client's tunnel for a specific device settings profile.
zero_trust.devices.policies.default
Methods
Updates the default device settings profile for an account.
Fetches the default device settings profile for an account.
zero_trust.devices.policies.default.certificates
Methods
Enable Zero Trust Clients to provision a certificate, containing a x509 subject, and referenced by Access device posture policies when the client visits MTLS protected domains. This facilitates device posture without a WARP session.
Fetches device certificate provisioning
zero_trust.devices.policies.default.excludes
Methods
Fetches the list of routes excluded from the WARP client's tunnel.
Sets the list of routes excluded from the WARP client's tunnel.
zero_trust.devices.policies.default.fallback_domains
Methods
Fetches a list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.
Sets the list of domains to bypass Gateway DNS resolution. These domains will use the specified local DNS resolver instead.
zero_trust.devices.policies.default.includes
Methods
Fetches the list of routes included in the WARP client's tunnel.
Sets the list of routes included in the WARP client's tunnel.
zero_trust.devices.posture
Methods
Creates a new device posture rule.
Deletes a device posture rule.
Fetches a single device posture rule.
Fetches device posture rules for a Zero Trust account.
Updates a device posture rule.
Domain types
The value to be checked against.
zero_trust.devices.posture.integrations
Methods
Create a new device posture integration.
Delete a configured device posture integration.
Updates a configured device posture integration.
Fetches details for a single device posture integration.
Fetches the list of device posture integrations for an account.
Domain types
zero_trust.devices.revoke
Methods
Revokes a list of devices.
zero_trust.devices.settings
Methods
Patches the current device settings for a Zero Trust account.
Describes the current device settings for a Zero Trust account.
Updates the current device settings for a Zero Trust account.
Domain types
zero_trust.devices.unrevoke
Methods
Unrevokes a list of devices.
DEX
zero_trust.dex
Domain types
zero_trust.dex.colos
Methods
List Cloudflare colos that account's devices were connected to during a time period, sorted by usage starting from the most used colo. Colos without traffic are also returned and sorted alphabetically.
zero_trust.dex.commands
Methods
Initiate commands for up to 10 devices per account
Retrieves a paginated list of commands issued to devices under the specified account, optionally filtered by time range, device, or other parameters
zero_trust.dex.commands.devices
Methods
List devices with WARP client support for remote captures which have been connected in the last 1 hour.
zero_trust.dex.commands.downloads
Methods
Downloads artifacts for an executed command. Bulk downloads are not supported
zero_trust.dex.commands.quota
Methods
Retrieves the current quota usage and limits for device commands within a specific account, including the time when the quota will reset
zero_trust.dex.fleet_status
Methods
List details for live (up to 60 minutes) devices using WARP
List details for devices using WARP, up to 7 days
Domain types
zero_trust.dex.fleet_status.devices
Methods
List details for devices using WARP
zero_trust.dex.http_tests
Methods
Get test details and aggregate performance metrics for an http test for a given time period between 1 hour and 7 days.
Domain types
zero_trust.dex.http_tests.percentiles
Methods
Get percentiles for an http test for a given time period between 1 hour and 7 days.
Domain types
zero_trust.dex.tests
Methods
List DEX tests with overview metrics
Domain types
zero_trust.dex.tests.unique_devices
Methods
Returns unique count of devices that have run synthetic application monitoring tests in the past 7 days.
Domain types
zero_trust.dex.traceroute_test_results
zero_trust.dex.traceroute_test_results.network_path
Methods
Get a breakdown of hops and performance metrics for a specific traceroute test run
zero_trust.dex.traceroute_tests
Methods
Get test details and aggregate performance metrics for an traceroute test for a given time period between 1 hour and 7 days.
Get a breakdown of metrics by hop for individual traceroute test runs
Get percentiles for a traceroute test for a given time period between 1 hour and 7 days.
Domain types
DLP
zero_trust.dlp
zero_trust.dlp.datasets
Methods
Create a new dataset
This deletes all versions of the dataset.
Fetch a specific dataset
Fetch all datasets
Update details about a dataset
Domain types
zero_trust.dlp.datasets.upload
Methods
Prepare to upload a new version of a dataset
This is used for single-column EDMv1 and Custom Word Lists. The EDM format can only be created in the Cloudflare dashboard. For other clients, this operation can only be used for non-secret Custom Word Lists. The body must be a UTF-8 encoded, newline (NL or CRNL) separated list of words to be matched.
Domain types
zero_trust.dlp.datasets.versions
Methods
This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard. The columns in the response appear in the same order as in the request.
zero_trust.dlp.datasets.versions.entries
Methods
This is used for multi-column EDMv2 datasets. The EDMv2 format can only be created in the Cloudflare dashboard.
zero_trust.dlp.email
zero_trust.dlp.email.account_mapping
Methods
Create mapping
Get mapping
zero_trust.dlp.email.rules
Methods
Update email scanner rule priorities
Create email scanner rule
Delete email scanner rule
Get an email scanner rule
Lists all email scanner rules for an account.
Update email scanner rule
zero_trust.dlp.entries
Methods
Creates a DLP custom entry.
Deletes a DLP custom entry.
Fetches a DLP entry by ID
Lists all DLP entries in an account.
Updates a DLP entry.
zero_trust.dlp.limits
Methods
Fetch limits associated with DLP for account
zero_trust.dlp.patterns
Methods
Validates whether this pattern is a valid regular expression. Rejects it if
the regular expression is too complex or can match an unbounded-length
string. The regex will be rejected if it uses *
or +
. Bound the maximum
number of characters that can be matched using a range, e.g. {1,100}
.
zero_trust.dlp.payload_logs
Methods
Get payload log settings
Set payload log settings
zero_trust.dlp.profiles
Methods
Fetches a DLP profile by ID
Lists all DLP profiles in an account.
Domain types
Scan the context of predefined entries to only return matches surrounded by keywords.
Content types to exclude from context analysis and return all matches.
zero_trust.dlp.profiles.custom
Methods
Creates a DLP custom profile.
Deletes a DLP custom profile.
Fetches a custom DLP profile by id.
Updates a DLP custom profile.
Domain types
zero_trust.dlp.profiles.predefined
Methods
Fetches a predefined DLP profile by id.
Updates a DLP predefined profile. Only supports enabling/disabling entries.
Domain types
Gateway
zero_trust.gateway
Methods
Creates a Zero Trust account with an existing Cloudflare account.
Gets information about the current Zero Trust account.
zero_trust.gateway.app_types
Methods
Fetches all application and application type mappings.
Domain types
zero_trust.gateway.audit_ssh_settings
Methods
Gets all Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account.
Rotates the SSH account seed that is used for generating the host key identity when connecting through the Cloudflare SSH Proxy.
Updates Zero Trust Audit SSH and SSH with Access for Infrastructure settings for an account.
Domain types
zero_trust.gateway.categories
Methods
Fetches a list of all categories.
Domain types
zero_trust.gateway.certificates
Methods
Binds a single Zero Trust certificate to the edge.
Creates a new Zero Trust certificate.
Unbinds a single Zero Trust certificate from the edge
Deletes a gateway-managed Zero Trust certificate. A certificate must be deactivated from the edge (inactive) before it is deleted.
Fetches a single Zero Trust certificate.
Fetches all Zero Trust certificates for an account.
zero_trust.gateway.configurations
Methods
Patches the current Zero Trust account configuration. This endpoint can update a single subcollection of settings such as antivirus
, tls_decrypt
, activity_log
, block_page
, browser_isolation
, fips
, body_scanning
, or certificate
, without updating the entire configuration object. Returns an error if any collection of settings is not properly configured.
Fetches the current Zero Trust account configuration.
Updates the current Zero Trust account configuration.
Domain types
Activity log settings.
Anti-virus settings.
Block page layout settings.
DLP body scanning settings.
Browser isolation settings.
Custom certificate settings for BYO-PKI. (deprecated and replaced by certificate
)
Extended e-mail matching settings.
FIPS settings.
Account settings
Configure a message to display on the user's device when an antivirus search is performed.
Protocol Detection settings.
TLS interception settings.
zero_trust.gateway.configurations.custom_certificate
Methods
Fetches the current Zero Trust certificate configuration.
zero_trust.gateway.lists
Methods
Creates a new Zero Trust list.
Deletes a Zero Trust list.
Appends or removes an item from a configured Zero Trust list.
Fetches a single Zero Trust list.
Fetches all Zero Trust lists for an account.
Updates a configured Zero Trust list. Skips updating list items if not included in the payload.
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Example: Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY
API Resource UUID tag.
Whether the API call was successful
Domain types
zero_trust.gateway.lists.items
Methods
Fetches all items in a single Zero Trust list.
zero_trust.gateway.locations
Methods
Creates a new Zero Trust Gateway location.
Deletes a configured Zero Trust Gateway location.
Fetches a single Zero Trust Gateway location.
Fetches Zero Trust Gateway locations for an account.
Updates a configured Zero Trust Gateway location.
Domain types
The destination endpoints configured for this location. When updating a location, if this field is absent or set with null, the endpoints configuration remains unchanged.
zero_trust.gateway.logging
Methods
Fetches the current logging settings for Zero Trust account.
Updates logging settings for the current Zero Trust account.
Domain types
zero_trust.gateway.proxy_endpoints
Methods
Creates a new Zero Trust Gateway proxy endpoint.
Deletes a configured Zero Trust Gateway proxy endpoint.
Updates a configured Zero Trust Gateway proxy endpoint.
Fetches a single Zero Trust Gateway proxy endpoint.
Fetches all Zero Trust Gateway proxy endpoints for an account.
Domain types
The IPv4 CIDR or IPv6 CIDR. IPv6 CIDRs are limited to a maximum of /109. IPv4 CIDRs are limited to a maximum of /25.
zero_trust.gateway.rules
Methods
Creates a new Zero Trust Gateway rule.
Deletes a Zero Trust Gateway rule.
Fetches a single Zero Trust Gateway rule.
Fetches the Zero Trust Gateway rules for an account.
Resets the expiration of a Zero Trust Gateway Rule if its duration has elapsed and it has a default duration.
The Zero Trust Gateway Rule must have values for both expiration.expires_at
and expiration.duration
.
Updates a configured Zero Trust Gateway rule.
Domain types
The protocol or layer to use.
Additional settings that modify the rule's action.
The schedule for activating DNS policies. This does not apply to HTTP or network policies.
Identity Providers
zero_trust.identity_providers
Methods
Adds a new identity provider to Access.
Deletes an identity provider from Access.
Fetches a configured identity provider.
Lists all configured identity providers.
Updates a configured identity provider.
Domain types
The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider.
The type of identity provider. To determine the value for a specific provider, refer to our developer documentation.
Networks
zero_trust.networks
zero_trust.networks.routes
Methods
Routes a private network through a Cloudflare Tunnel.
Deletes a private network route from an account.
Updates an existing private network route in an account. The fields that are meant to be updated should be provided in the body of the request.
Get a private network route in an account.
Lists and filters private network routes in an account.
Domain types
zero_trust.networks.routes.ips
Methods
Fetches routes that contain the given IP address.
zero_trust.networks.routes.networks
Methods
Routes a private network through a Cloudflare Tunnel. The CIDR in ip_network_encoded
must be written in URL-encoded format.
Deletes a private network route from an account. The CIDR in ip_network_encoded
must be written in URL-encoded format. If no virtual_network_id is provided it will delete the route from the default vnet. If no tun_type is provided it will fetch the type from the tunnel_id or if that is missing it will assume Cloudflare Tunnel as default. If tunnel_id is provided it will delete the route from that tunnel, otherwise it will delete the route based on the vnet and tun_type.
Updates an existing private network route in an account. The CIDR in ip_network_encoded
must be written in URL-encoded format.
zero_trust.networks.virtual_networks
Methods
Adds a new virtual network to an account.
Deletes an existing virtual network.
Updates an existing virtual network.
Get a virtual network.
Lists and filters virtual networks in an account.
Domain types
Organizations
zero_trust.organizations
Methods
Sets up a Zero Trust organization for your account or zone.
Returns the configuration for your Zero Trust organization.
Revokes a user's access across all applications.
Updates the configuration for your Zero Trust organization.
Domain types
zero_trust.organizations.doh
Methods
Returns the DoH settings for your Zero Trust organization.
Updates the DoH settings for your Zero Trust organization.
Risk Scoring
zero_trust.risk_scoring
Methods
Get risk event/score information for a specific user
Clear the risk score for a particular user
zero_trust.risk_scoring.behaviours
Methods
Get all behaviors and associated configuration
Update configuration for risk behaviors
zero_trust.risk_scoring.integrations
Methods
Create new risk score integration.
Delete a risk score integration.
Get risk score integration by id.
List all risk score integrations for the account.
Overwrite the reference_id, tenant_url, and active values with the ones provided
zero_trust.risk_scoring.integrations.references
Methods
Get risk score integration by reference id.
zero_trust.risk_scoring.summary
Methods
Get risk score info for all users in the account
Seats
zero_trust.seats
Methods
Removes a user from a Zero Trust seat when both access_seat
and gateway_seat
are set to false.
Domain types
Tunnels
zero_trust.tunnels
Methods
Creates a new Cloudflare Tunnel in an account.
Deletes a Cloudflare Tunnel from an account.
Updates an existing Cloudflare Tunnel.
Fetches a single Cloudflare Tunnel.
Lists and filters Cloudflare Tunnels in an account.
Domain types
zero_trust.tunnels.configurations
Methods
Gets the configuration for a remotely-managed tunnel
Adds or updates the configuration for a remotely-managed tunnel.
zero_trust.tunnels.connections
Methods
Removes a connection (aka Cloudflare Tunnel Connector) from a Cloudflare Tunnel independently of its current state. If no connector id (client_id) is provided all connectors will be removed. We recommend running this command after rotating tokens.
Fetches connection details for a Cloudflare Tunnel.
Domain types
A client (typically cloudflared) that maintains connections to a Cloudflare data center.
zero_trust.tunnels.connectors
Methods
Fetches connector and connection details for a Cloudflare Tunnel.
zero_trust.tunnels.management
Methods
Gets a management token used to access the management resources (i.e. Streaming Logs) of a tunnel.
zero_trust.tunnels.token
Methods
Gets the token used to associate cloudflared with a specific tunnel.
zero_trust.tunnels.warp_connector
Methods
Creates a new Warp Connector Tunnel in an account.
Deletes a Warp Connector Tunnel from an account.
Updates an existing Warp Connector Tunnel.
Fetches a single Warp Connector Tunnel.
Lists and filters Warp Connector Tunnels in an account.
Gets the token used to associate warp device with a specific Warp Connector tunnel.