API Reference

Zero Trust

Access

Applications

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Add an Access application

client.ZeroTrust.Access.Applications.New(ctx, params) (*AccessApplicationNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps

Adds a new application to Access.

Security

API Token

The preferred authorization scheme for interacting with the Cloudflare API. Create a token.

Example:Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY

API Email + API Key

The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.

Example:X-Auth-Email: user@example.com

The previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.

Example:X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194

Accepted Permissions (at least one required)

Access: Apps and Policies Write

ParametersExpand Collapse

params AccessApplicationNewParams

Domain param.Field[string]

Body param: The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.

Type param.Field[ApplicationType]

Body param: The application type.

AccountID param.Field[string]Optional

Path param: The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

ZoneID param.Field[string]Optional

Path param: The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.

AllowAuthenticateViaWARP param.Field[bool]Optional

Body param: When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.

AllowIframe param.Field[bool]Optional

Body param: Enables loading application content in an iFrame.

AllowedIdPs param.Field[[]AllowedIdPs]Optional

Body param: The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible param.Field[bool]Optional

Body param: Displays the application in the App Launcher.

AutoRedirectToIdentity param.Field[bool]Optional

Body param: When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders param.Field[CORSHeaders]Optional

Body param

CustomDenyMessage param.Field[string]Optional

Body param: The custom error message shown to a user when they are denied access to the application.

CustomDenyURL param.Field[string]Optional

Body param: The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.

CustomNonIdentityDenyURL param.Field[string]Optional

Body param: The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.

CustomPages param.Field[[]string]Optional

Body param: The custom pages that will be displayed when applicable for this application

Destinations param.Field[[]AccessApplicationNewParamsSelfHostedApplicationDestination]Optional

Body param: List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.

AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestination

Type AccessApplicationNewParamsSelfHostedApplicationDestinationsPublicDestinationTypeOptional

URI stringOptional

The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.

AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestination

CIDR stringOptional

The CIDR range of the destination. Single IPs will be computed as /32.

Hostname stringOptional

The hostname of the destination. Matches a valid SNI served by an HTTPS origin.

L4Protocol AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolOptional

The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.

One of the following:

const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"

const AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"

PortRange stringOptional

The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.

Type AccessApplicationNewParamsSelfHostedApplicationDestinationsPrivateDestinationTypeOptional

VnetID stringOptional

The VNET ID to match the destination. When omitted, all VNETs will match.

AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestination

McpServerID stringOptional

The MCP server id configured in ai-controls.

Type AccessApplicationNewParamsSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeOptional

AccessApplicationNewParamsSelfHostedApplicationDestinationsWorkerDestination

Type AccessApplicationNewParamsSelfHostedApplicationDestinationsWorkerDestinationType

WorkerID string

The ID of the Cloudflare Worker to protect with Access.

AccessApplicationNewParamsSelfHostedApplicationDestinationsPreviewWorkerDestination

Type AccessApplicationNewParamsSelfHostedApplicationDestinationsPreviewWorkerDestinationType

WorkerID string

The ID of the Cloudflare Worker whose preview deployments to protect with Access.

AccessApplicationNewParamsSelfHostedApplicationDestinationsAllWorkersDestination

Type AccessApplicationNewParamsSelfHostedApplicationDestinationsAllWorkersDestinationType

AccessApplicationNewParamsSelfHostedApplicationDestinationsAllPreviewWorkersDestination

Type AccessApplicationNewParamsSelfHostedApplicationDestinationsAllPreviewWorkersDestinationType

EagerRedirectCookieSetting param.Field[bool]Optional

Body param: Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.

EnableBindingCookie param.Field[bool]Optional

Body param: Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute param.Field[bool]Optional

Body param: Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL param.Field[string]Optional

Body param: The image URL for the logo shown in the App Launcher dashboard.

MfaConfig param.Field[AccessApplicationNewParamsSelfHostedApplicationMfaConfig]Optional

Body param: Configures multi-factor authentication (MFA) settings.

AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorOptional

Lists the MFA methods that users can authenticate with.

One of the following:

const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"

const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"

const AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewParamsSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"

MfaDisabled boolOptional

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

SessionDuration stringOptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

Name param.Field[string]Optional

Body param: The name of the application.

OAuthConfiguration param.Field[AccessApplicationNewParamsSelfHostedApplicationOAuthConfiguration]Optional

Body param: Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.

DynamicClientRegistration AccessApplicationNewParamsSelfHostedApplicationOAuthConfigurationDynamicClientRegistrationOptional

Settings for OAuth dynamic client registration.

AllowAnyOnLocalhost boolOptional

Allows any client with redirect URIs on localhost.

AllowAnyOnLoopback boolOptional

Allows any client with redirect URIs on 127.0.0.1.

AllowedURIs []stringOptional

The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the https protocol. Paths may end in /* to match all sub-paths.

Enabled boolOptional

Whether dynamic client registration is enabled.

Enabled boolOptional

Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.

Grant AccessApplicationNewParamsSelfHostedApplicationOAuthConfigurationGrantOptional

Settings for OAuth grant behavior.

AccessTokenLifetime stringOptional

The lifetime of the access token. Must be in the format 300ms or 2h45m. Valid time units are ns, us (or µs), ms, s, m, h.

SessionDuration stringOptional

The duration of the OAuth session. Must be in the format 300ms or 2h45m. Valid time units are ns, us (or µs), ms, s, m, h.

OptionsPreflightBypass param.Field[bool]Optional

Body param: Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

PathCookieAttribute param.Field[bool]Optional

Body param: Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default

Policies param.Field[[]AccessApplicationNewParamsSelfHostedApplicationPolicyUnion]Optional

Body param: The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. Reusable and inline policies are mutually exclusive.

AccessApplicationNewParamsSelfHostedApplicationPoliciesAccessAppPolicyLink

ID stringOptional

The UUID of the policy

maxLength36

Precedence int64Optional

The order of execution for this policy. Must be unique for each policy within an app.

UnionString

AccessApplicationNewParamsSelfHostedApplicationPoliciesObject

ID stringOptional

The UUID of the policy

maxLength36

ApprovalGroups []ApprovalGroupOptional

Administrators who can approve a temporary authentication request.

ApprovalsNeeded float64

The number of approvals needed to obtain access.

minimum0

EmailAddresses []stringOptional

A list of emails that can approve the access request.

EmailListUUID stringOptional

The UUID of an re-usable email list.

ApprovalRequired boolOptional

Requires the user to request access from an administrator at the start of each session.

ConnectionRules AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesOptional

The rules that define how users may connect to targets secured by your application.

RDP AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPOptional

The RDP-specific rules that define clipboard behavior for RDP connections.

AllowedClipboardLocalToRemoteFormats []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardLocalToRemoteFormatOptional

Clipboard formats allowed when copying from local machine to remote RDP session.

AllowedClipboardRemoteToLocalFormats []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectConnectionRulesRDPAllowedClipboardRemoteToLocalFormatOptional

Clipboard formats allowed when copying from remote RDP session to local machine.

IsolationRequired boolOptional

Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.

MfaConfig AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigOptional

Configures multi-factor authentication (MFA) settings.

AllowedAuthenticators []AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorOptional

Lists the MFA methods that users can authenticate with.

One of the following:

const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorTotp AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "totp"

const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "biometrics"

const AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewParamsSelfHostedApplicationPoliciesObjectMfaConfigAllowedAuthenticator = "security_key"

MfaDisabled boolOptional

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

SessionDuration stringOptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

Precedence int64Optional

The order of execution for this policy. Must be unique for each policy within an app.

PurposeJustificationPrompt stringOptional

A custom message that will appear on the purpose justification screen.

PurposeJustificationRequired boolOptional

Require users to enter a justification when they log in to the application.

SessionDuration stringOptional

The amount of time that tokens issued for the application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

ReadServiceTokensFromHeader param.Field[string]Optional

Body param: Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }

SameSiteCookieAttribute param.Field[string]Optional

Body param: Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

SCIMConfig param.Field[AccessApplicationNewParamsSelfHostedApplicationSCIMConfig]Optional

Body param: Configuration for provisioning to this application via SCIM. This is currently in closed beta.

IdPUID string

The UID of the IdP to use as the source for SCIM resources to provision to this application.

RemoteURI string

The base URI for the application’s SCIM-compatible API.

Authentication AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationUnionOptional

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

One of the following:

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

type SCIMConfigAuthenticationOAuthBearerToken struct{…}

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

Token string

Token used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringOptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken

ClientID string

Client ID of the Access service token used to authenticate with the remote service.

ClientSecret string

Client secret of the Access service token used to authenticate with the remote service.

Scheme AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme

The authentication scheme to use when making SCIM requests to this application.

AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication

One of the following:

type SCIMConfigAuthenticationHTTPBasic struct{…}

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

Password string

Password used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationHTTPBasicScheme

The authentication scheme to use when making SCIM requests to this application.

User string

User name used to authenticate with the remote SCIM service.

type SCIMConfigAuthenticationOAuthBearerToken struct{…}

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

Token string

Token used to authenticate with the remote SCIM service.

Scheme SCIMConfigAuthenticationOAuthBearerTokenScheme

The authentication scheme to use when making SCIM requests to this application.

type SCIMConfigAuthenticationOauth2 struct{…}

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

AuthorizationURL string

URL used to generate the auth code used during token generation.

ClientID string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

ClientSecret string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

Scheme SCIMConfigAuthenticationOauth2Scheme

The authentication scheme to use when making SCIM requests to this application.

TokenURL string

URL used to generate the token used to authenticate with the remote SCIM service.

Scopes []stringOptional

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken

ClientID string

Client ID of the Access service token used to authenticate with the remote service.

ClientSecret string

Client secret of the Access service token used to authenticate with the remote service.

Scheme AccessApplicationNewParamsSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceTokenScheme

The authentication scheme to use when making SCIM requests to this application.

DeactivateOnDelete boolOptional

If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.

Enabled boolOptional

Whether SCIM provisioning is turned on for this application.

Mappings []SCIMConfigMappingOptional

A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

Schema string

Which SCIM resource type this mapping applies to.

Enabled boolOptional

Whether or not this mapping is enabled.

Filter stringOptional

A SCIM filter expression that matches resources that should be provisioned to this application.

Operations SCIMConfigMappingOperationsOptional

Whether or not this mapping applies to creates, updates, or deletes.

Create boolOptional

Whether or not this mapping applies to create (POST) operations.

Delete boolOptional

Whether or not this mapping applies to DELETE operations.

Update boolOptional

Whether or not this mapping applies to update (PATCH/PUT) operations.

Strictness SCIMConfigMappingStrictnessOptional

The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.

One of the following:

const SCIMConfigMappingStrictnessStrict SCIMConfigMappingStrictness = "strict"

const SCIMConfigMappingStrictnessPassthrough SCIMConfigMappingStrictness = "passthrough"

TransformJsonata stringOptional

A JSONata expression that transforms the resource before provisioning it in the application.

DeprecatedSelfHostedDomains param.Field[[]SelfHostedDomains]Optional

Body param: List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.

ServiceAuth401Redirect param.Field[bool]Optional

Body param: Returns a 401 status code when the request is blocked by a Service Auth policy.

SessionDuration param.Field[string]Optional

Body param: The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.

SkipInterstitial param.Field[bool]Optional

Body param: Enables automatic authentication through cloudflared.

Tags param.Field[[]string]Optional

Body param: The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.

UseClientlessIsolationAppLauncherURL param.Field[bool]Optional

Body param: Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.

ReturnsExpand Collapse

type AccessApplicationNewResponse interface{…}

One of the following:

type AccessApplicationNewResponseSelfHostedApplication struct{…}

Domain string

The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.

Type ApplicationType

The application type.

One of the following:

const ApplicationTypeSelfHosted ApplicationType = "self_hosted"

const ApplicationTypeSaaS ApplicationType = "saas"

const ApplicationTypeSSH ApplicationType = "ssh"

const ApplicationTypeVNC ApplicationType = "vnc"

const ApplicationTypeAppLauncher ApplicationType = "app_launcher"

const ApplicationTypeWARP ApplicationType = "warp"

const ApplicationTypeBISO ApplicationType = "biso"

const ApplicationTypeBookmark ApplicationType = "bookmark"

const ApplicationTypeDashSSO ApplicationType = "dash_sso"

const ApplicationTypeInfrastructure ApplicationType = "infrastructure"

const ApplicationTypeRDP ApplicationType = "rdp"

const ApplicationTypeMcp ApplicationType = "mcp"

const ApplicationTypeMcpPortal ApplicationType = "mcp_portal"

const ApplicationTypeProxyEndpoint ApplicationType = "proxy_endpoint"

ID stringOptional

UUID.

maxLength36

AllowAuthenticateViaWARP boolOptional

When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.

AllowIframe boolOptional

Enables loading application content in an iFrame.

AllowedIdPs []AllowedIdPsOptional

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

AppLauncherVisible boolOptional

Displays the application in the App Launcher.

AUD stringOptional

Audience tag.

maxLength64

AutoRedirectToIdentity boolOptional

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

CORSHeaders CORSHeadersOptional

AllowAllHeaders boolOptional

Allows all HTTP request headers.

AllowAllMethods boolOptional

Allows all HTTP request methods.

AllowAllOrigins boolOptional

Allows all origins.

AllowCredentials boolOptional

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

AllowedHeaders []AllowedHeadersOptional

Allowed HTTP request headers.

AllowedMethods []AllowedMethodsOptional

Allowed HTTP request methods.

One of the following:

const AllowedMethodsGet AllowedMethods = "GET"

const AllowedMethodsPost AllowedMethods = "POST"

const AllowedMethodsHead AllowedMethods = "HEAD"

const AllowedMethodsPut AllowedMethods = "PUT"

const AllowedMethodsDelete AllowedMethods = "DELETE"

const AllowedMethodsConnect AllowedMethods = "CONNECT"

const AllowedMethodsOptions AllowedMethods = "OPTIONS"

const AllowedMethodsTrace AllowedMethods = "TRACE"

const AllowedMethodsPatch AllowedMethods = "PATCH"

AllowedOrigins []AllowedOriginsOptional

Allowed origins.

MaxAge float64Optional

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

CustomDenyMessage stringOptional

The custom error message shown to a user when they are denied access to the application.

CustomDenyURL stringOptional

The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.

CustomNonIdentityDenyURL stringOptional

The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.

CustomPages []stringOptional

The custom pages that will be displayed when applicable for this application

Destinations []AccessApplicationNewResponseSelfHostedApplicationDestinationOptional

List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.

One of the following:

type AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestination struct{…}

A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.

Type AccessApplicationNewResponseSelfHostedApplicationDestinationsPublicDestinationTypeOptional

URI stringOptional

The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.

type AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}

CIDR stringOptional

The CIDR range of the destination. Single IPs will be computed as /32.

Hostname stringOptional

The hostname of the destination. Matches a valid SNI served by an HTTPS origin.

L4Protocol AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolOptional

The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.

One of the following:

const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolTCP AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "tcp"

const AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolUdp AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationL4Protocol = "udp"

PortRange stringOptional

The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.

Type AccessApplicationNewResponseSelfHostedApplicationDestinationsPrivateDestinationTypeOptional

VnetID stringOptional

The VNET ID to match the destination. When omitted, all VNETs will match.

type AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}

A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.

McpServerID stringOptional

The MCP server id configured in ai-controls.

Type AccessApplicationNewResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestinationTypeOptional

type AccessApplicationNewResponseSelfHostedApplicationDestinationsWorkerDestination struct{…}

A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.

Type AccessApplicationNewResponseSelfHostedApplicationDestinationsWorkerDestinationType

WorkerID string

The ID of the Cloudflare Worker to protect with Access.

type AccessApplicationNewResponseSelfHostedApplicationDestinationsPreviewWorkerDestination struct{…}

A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.

Type AccessApplicationNewResponseSelfHostedApplicationDestinationsPreviewWorkerDestinationType

WorkerID string

The ID of the Cloudflare Worker whose preview deployments to protect with Access.

type AccessApplicationNewResponseSelfHostedApplicationDestinationsAllWorkersDestination struct{…}

Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.

Type AccessApplicationNewResponseSelfHostedApplicationDestinationsAllWorkersDestinationType

type AccessApplicationNewResponseSelfHostedApplicationDestinationsAllPreviewWorkersDestination struct{…}

Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.

Type AccessApplicationNewResponseSelfHostedApplicationDestinationsAllPreviewWorkersDestinationType

EagerRedirectCookieSetting boolOptional

Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.

EnableBindingCookie boolOptional

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

HTTPOnlyCookieAttribute boolOptional

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

LogoURL stringOptional

The image URL for the logo shown in the App Launcher dashboard.

MfaConfig AccessApplicationNewResponseSelfHostedApplicationMfaConfigOptional

Configures multi-factor authentication (MFA) settings.

AllowedAuthenticators []AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorOptional

Lists the MFA methods that users can authenticate with.

One of the following:

const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorTotp AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "totp"

const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorBiometrics AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "biometrics"

const AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorSecurityKey AccessApplicationNewResponseSelfHostedApplicationMfaConfigAllowedAuthenticator = "security_key"

MfaDisabled boolOptional

Indicates whether to disable MFA for this resource. This option is available at the application and policy level.

SessionDuration stringOptional

Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples:5m or 24h.

Name stringOptional

The name of the application.

OAuthConfiguration AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationOptional

Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.

DynamicClientRegistration AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistrationOptional

Settings for OAuth dynamic client registration.

AllowAnyOnLocalhost boolOptional

Allows any client with redirect URIs on localhost.

AllowAnyOnLoopback boolOptional

Allows any client with redirect URIs on 127.0.0.1.

AllowedURIs []stringOptional

The URIs that are allowed as redirect URIs for dynamically registered clients. Must use the https protocol. Paths may end in /* to match all sub-paths.

Enabled boolOptional

Whether dynamic client registration is enabled.

Enabled boolOptional

Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.

Grant AccessApplicationNewResponseSelfHostedApplicationOAuthConfigurationGrantOptional

Settings for OAuth grant behavior.

AccessTokenLifetime stringOptional

The lifetime of the access token. Must be in the format 300ms or 2h45m. Valid time units are ns, us (or µs), ms, s, m, h.

SessionDuration stringOptional

The duration of the OAuth session. Must be in the format 300ms or 2h45m. Valid time units are ns, us (or µs), ms, s, m, h.

OptionsPreflightBypass boolOptional

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

PathCookieAttribute boolOptional

Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default

Policies []AccessApplicationNewResponseSelfHostedApplicationPolicyOptional

ID stringOptional

The UUID of the policy

maxLength36

ApprovalGroups []ApprovalGroupOptional

Administrators who can approve a temporary authentication request.

ApprovalsNeeded float64

The number of approvals needed to obtain access.

minimum0

EmailAddresses []stringOptional

A list of emails that can approve the access request.

EmailListUUID stringOptional

The UUID of an re-usable email list.

ApprovalRequired boolOptional

Requires the user to request access from an administrator at the start of each session.

ConnectionRules AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesOptional

The rules that define how users may connect to targets secured by your application.

RDP AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPOptional

The RDP-specific rules that define clipboard behavior for RDP connections.

AllowedClipboardLocalToRemoteFormats []AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardLocalToRemoteFormatOptional

Clipboard formats allowed when copying from local machine to remote RDP session.

AllowedClipboardRemoteToLocalFormats []AccessApplicationNewResponseSelfHostedApplicationPoliciesConnectionRulesRDPAllowedClipboardRemoteToLocalFormatOptional

Clipboard formats allowed when copying from remote RDP session to local machine.

CreatedAt TimeOptional

formatdate-time

Decision DecisionOptional

The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.

One of the following:

const DecisionAllow Decision = "allow"

const DecisionDeny Decision = "deny"

const DecisionNonIdentity Decision = "non_identity"

const DecisionBypass Decision = "bypass"

Exclude []AccessRuleOptional

Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.