Get an Access application
Fetches information about an Access application.
Security
API Token
The preferred authorization scheme for interacting with the Cloudflare API. Create a token.
Authorization: Bearer Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYYAPI Email + API Key
The previous authorization scheme for interacting with the Cloudflare API, used in conjunction with a Global API key.
X-Auth-Email: user@example.comThe previous authorization scheme for interacting with the Cloudflare API. When possible, use API tokens instead of Global API keys.
X-Auth-Key: 144c9defac04969c7bfad8efaa8ea194Accepted Permissions (at least one required)
Access: Apps and Policies WriteAccess: Apps and Policies ReadReturnsExpand Collapse
type AccessApplicationGetResponse interface{…}
type AccessApplicationGetResponseSelfHostedApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationGetResponseSelfHostedApplicationDestinationOptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationGetResponseSelfHostedApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationGetResponseSelfHostedApplicationDestinationsPrivateDestinationL4ProtocolOptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
type AccessApplicationGetResponseSelfHostedApplicationDestinationsViaMcpServerPortalDestination struct{…}A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
type AccessApplicationGetResponseSelfHostedApplicationDestinationsWorkerDestination struct{…}A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
type AccessApplicationGetResponseSelfHostedApplicationDestinationsPreviewWorkerDestination struct{…}A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
type AccessApplicationGetResponseSelfHostedApplicationDestinationsAllWorkersDestination struct{…}Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
type AccessApplicationGetResponseSelfHostedApplicationDestinationsAllPreviewWorkersDestination struct{…}Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationGetResponseSelfHostedApplicationMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseSelfHostedApplicationMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationGetResponseSelfHostedApplicationOAuthConfigurationOptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationGetResponseSelfHostedApplicationOAuthConfigurationDynamicClientRegistrationOptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationGetResponseSelfHostedApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseSelfHostedApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseSelfHostedApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationGetResponseSelfHostedApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseSelfHostedApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationGetResponseSaaSApplication struct{…}
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom pages that will be displayed when applicable for this application
Policies []AccessApplicationGetResponseSaaSApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseSaaSApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseSaaSApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
SaaSApp AccessApplicationGetResponseSaaSApplicationSaaSAppOptional
type SAMLSaaSApp struct{…}
AuthType SAMLSaaSAppAuthTypeOptionalOptional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”
The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.
CustomAttributes []SAMLSaaSAppCustomAttributeOptional
NameFormat SAMLSaaSAppCustomAttributesNameFormatOptionalA globally unique name for an identity or service provider.
A globally unique name for an identity or service provider.
The URL that the user will be redirected to after a successful login for IDP initiated logins.
A JSONata expression that transforms an application’s user identities into a NameID value for its SAML assertion. This expression should evaluate to a singular string. The output of this expression can override the name_id_format setting.
A [JSONata] (https://jsonata.org/) expression that transforms an application’s user identities into attribute assertions in the SAML response. The expression can transform id, email, name, and groups values. It can also transform fields listed in the saml_attributes or oidc_fields of the identity provider used to authenticate. The output of this expression must be a JSON object.
type OIDCSaaSApp struct{…}
The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must be greater than or equal to 1m and less than or equal to 24h.
If client secret should be required on the token endpoint when authorization_code_with_pkce grant is used.
AuthType OIDCSaaSAppAuthTypeOptionalIdentifier of the authentication protocol used for the saas app. Required for OIDC.
Identifier of the authentication protocol used for the saas app. Required for OIDC.
CustomClaims []OIDCSaaSAppCustomClaimOptional
GrantTypes []OIDCSaaSAppGrantTypeOptionalThe OIDC flows supported by this application
The OIDC flows supported by this application
A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
The permitted URL’s for Cloudflare to return Authorization codes and Access/ID tokens
SCIMConfig AccessApplicationGetResponseSaaSApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseSaaSApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
type AccessApplicationGetResponseBrowserSSHApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type AccessApplicationGetResponseBrowserSSHApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationGetResponseBrowserSSHApplicationDestinationOptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationGetResponseBrowserSSHApplicationDestinationsPrivateDestinationL4ProtocolOptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
type AccessApplicationGetResponseBrowserSSHApplicationDestinationsViaMcpServerPortalDestination struct{…}A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
type AccessApplicationGetResponseBrowserSSHApplicationDestinationsWorkerDestination struct{…}A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
type AccessApplicationGetResponseBrowserSSHApplicationDestinationsPreviewWorkerDestination struct{…}A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
type AccessApplicationGetResponseBrowserSSHApplicationDestinationsAllWorkersDestination struct{…}Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
type AccessApplicationGetResponseBrowserSSHApplicationDestinationsAllPreviewWorkersDestination struct{…}Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationGetResponseBrowserSSHApplicationMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBrowserSSHApplicationMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationGetResponseBrowserSSHApplicationOAuthConfigurationOptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationGetResponseBrowserSSHApplicationOAuthConfigurationDynamicClientRegistrationOptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationGetResponseBrowserSSHApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseBrowserSSHApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBrowserSSHApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseBrowserSSHApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationGetResponseBrowserVNCApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Type AccessApplicationGetResponseBrowserVNCApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationGetResponseBrowserVNCApplicationDestinationOptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationGetResponseBrowserVNCApplicationDestinationsPrivateDestinationL4ProtocolOptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
type AccessApplicationGetResponseBrowserVNCApplicationDestinationsViaMcpServerPortalDestination struct{…}A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
type AccessApplicationGetResponseBrowserVNCApplicationDestinationsWorkerDestination struct{…}A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
type AccessApplicationGetResponseBrowserVNCApplicationDestinationsPreviewWorkerDestination struct{…}A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
type AccessApplicationGetResponseBrowserVNCApplicationDestinationsAllWorkersDestination struct{…}Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
type AccessApplicationGetResponseBrowserVNCApplicationDestinationsAllPreviewWorkersDestination struct{…}Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationGetResponseBrowserVNCApplicationMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBrowserVNCApplicationMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationGetResponseBrowserVNCApplicationOAuthConfigurationOptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationGetResponseBrowserVNCApplicationOAuthConfigurationDynamicClientRegistrationOptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationGetResponseBrowserVNCApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseBrowserVNCApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBrowserVNCApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseBrowserVNCApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationGetResponseAppLauncherApplication struct{…}
Type AccessApplicationGetResponseAppLauncherApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
FooterLinks []AccessApplicationGetResponseAppLauncherApplicationFooterLinkOptionalThe links in the App Launcher footer.
The links in the App Launcher footer.
LandingPageDesign AccessApplicationGetResponseAppLauncherApplicationLandingPageDesignOptionalThe design of the App Launcher landing page shown to users when they log in.
The design of the App Launcher landing page shown to users when they log in.
Policies []AccessApplicationGetResponseAppLauncherApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseAppLauncherApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseAppLauncherApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationGetResponseDeviceEnrollmentPermissionsApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Policies []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseDeviceEnrollmentPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationGetResponseBrowserIsolationPermissionsApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Policies []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBrowserIsolationPermissionsApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationGetResponseGatewayIdentityProxyEndpointApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
The proxy endpoint domain in the format: 10 alphanumeric characters followed by .proxy.cloudflare-gateway.com
Policies []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseGatewayIdentityProxyEndpointApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationGetResponseBookmarkApplication struct{…}
Policies []AccessApplicationGetResponseBookmarkApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseBookmarkApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBookmarkApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
type AccessApplicationGetResponseInfrastructureApplication struct{…}
TargetCriteria []AccessApplicationGetResponseInfrastructureApplicationTargetCriterion
Type ApplicationTypeThe application type.
The application type.
Policies []AccessApplicationGetResponseInfrastructureApplicationPolicyOptional
ConnectionRules AccessApplicationGetResponseInfrastructureApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to the targets secured by your application.
The rules that define how users may connect to the targets secured by your application.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
MfaConfig AccessApplicationGetResponseInfrastructureApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings for infrastructure applications.
Configures multi-factor authentication (MFA) settings for infrastructure applications.
Lists the MFA methods that users can authenticate with. For infrastructure applications, only piv_key is supported.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
type AccessApplicationGetResponseBrowserRDPApplication struct{…}
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
TargetCriteria []AccessApplicationGetResponseBrowserRDPApplicationTargetCriterion
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationGetResponseBrowserRDPApplicationDestinationOptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationGetResponseBrowserRDPApplicationDestinationsPrivateDestinationL4ProtocolOptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
type AccessApplicationGetResponseBrowserRDPApplicationDestinationsViaMcpServerPortalDestination struct{…}A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
type AccessApplicationGetResponseBrowserRDPApplicationDestinationsWorkerDestination struct{…}A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
type AccessApplicationGetResponseBrowserRDPApplicationDestinationsPreviewWorkerDestination struct{…}A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
type AccessApplicationGetResponseBrowserRDPApplicationDestinationsAllWorkersDestination struct{…}Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
type AccessApplicationGetResponseBrowserRDPApplicationDestinationsAllPreviewWorkersDestination struct{…}Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
MfaConfig AccessApplicationGetResponseBrowserRDPApplicationMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBrowserRDPApplicationMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
OAuthConfiguration AccessApplicationGetResponseBrowserRDPApplicationOAuthConfigurationOptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationGetResponseBrowserRDPApplicationOAuthConfigurationDynamicClientRegistrationOptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Enables cookie paths to scope an application’s JWT to the application path. If disabled, the JWT will scope to the hostname by default
Policies []AccessApplicationGetResponseBrowserRDPApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseBrowserRDPApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseBrowserRDPApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { “cf-access-client-id”: “88bf3b6d86161464f6509f7219099e57.access.example.com”, “cf-access-client-secret”: “bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5” }
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseBrowserRDPApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
Returns a 401 status code when the request is blocked by a Service Auth policy.
The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
type AccessApplicationGetResponseMcpServerApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationGetResponseMcpServerApplicationDestinationOptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationGetResponseMcpServerApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationGetResponseMcpServerApplicationDestinationsPrivateDestinationL4ProtocolOptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
type AccessApplicationGetResponseMcpServerApplicationDestinationsViaMcpServerPortalDestination struct{…}A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
type AccessApplicationGetResponseMcpServerApplicationDestinationsWorkerDestination struct{…}A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
type AccessApplicationGetResponseMcpServerApplicationDestinationsPreviewWorkerDestination struct{…}A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
type AccessApplicationGetResponseMcpServerApplicationDestinationsAllWorkersDestination struct{…}Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
type AccessApplicationGetResponseMcpServerApplicationDestinationsAllPreviewWorkersDestination struct{…}Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
OAuthConfiguration AccessApplicationGetResponseMcpServerApplicationOAuthConfigurationOptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationGetResponseMcpServerApplicationOAuthConfigurationDynamicClientRegistrationOptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Policies []AccessApplicationGetResponseMcpServerApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseMcpServerApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseMcpServerApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationGetResponseMcpServerApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseMcpServerApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
type AccessApplicationGetResponseMcpServerPortalApplication struct{…}
Type ApplicationTypeThe application type.
The application type.
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
The custom error message shown to a user when they are denied access to the application.
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
The custom pages that will be displayed when applicable for this application
Destinations []AccessApplicationGetResponseMcpServerPortalApplicationDestinationOptionalList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPublicDestination struct{…}A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
A public hostname that Access will secure. Public destinations support sub-domain and path. Wildcard ’*’ can be used in the definition.
The URI of the destination. Public destinations’ URIs can include a domain and path with wildcards.
type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestination struct{…}
The hostname of the destination. Matches a valid SNI served by an HTTPS origin.
L4Protocol AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPrivateDestinationL4ProtocolOptionalThe L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The L4 protocol of the destination. When omitted, both UDP and TCP traffic will match.
The port range of the destination. Can be a single port or a range of ports. When omitted, all ports will match.
type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsViaMcpServerPortalDestination struct{…}A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
A MCP server id configured in ai-controls. Access will secure the MCP server if accessed through a MCP portal.
type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsWorkerDestination struct{…}A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
A specific Cloudflare Worker that Access will secure. All requests routed to the specified Worker, including its preview deployments, will be protected. The preview_worker and public destination types takes precedence, so you can create separate applications to override the policies for the Worker’s previews or specific paths.
type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsPreviewWorkerDestination struct{…}A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
A specific Cloudflare Worker whose preview deployments Access will secure. Only requests routed to the preview deployments of the specified Worker will be protected. The public destination type takes precedence, so you can create separate applications to override the policies for specific paths.
type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsAllWorkersDestination struct{…}Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects all Cloudflare Workers on the account with Access, including their preview deployments. At most one destination of this type can exist per account. The worker, preview_worker, all_preview_workers, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
type AccessApplicationGetResponseMcpServerPortalApplicationDestinationsAllPreviewWorkersDestination struct{…}Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
Protects the preview deployments of all Cloudflare Workers on the account with Access. At most one destination of this type can exist per account. The worker, preview_worker, and public destination types take precedence, so you can create separate applications to override the policies for specific Workers, their previews, or specific paths.
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
OAuthConfiguration AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfigurationOptionalBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
DynamicClientRegistration AccessApplicationGetResponseMcpServerPortalApplicationOAuthConfigurationDynamicClientRegistrationOptionalSettings for OAuth dynamic client registration.
Settings for OAuth dynamic client registration.
Whether the OAuth configuration is enabled for this application. When set to false, Access will not handle OAuth for this application. Defaults to true if omitted.
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
Policies []AccessApplicationGetResponseMcpServerPortalApplicationPolicyOptional
Requires the user to request access from an administrator at the start of each session.
ConnectionRules AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesOptionalThe rules that define how users may connect to targets secured by your application.
The rules that define how users may connect to targets secured by your application.
RDP AccessApplicationGetResponseMcpServerPortalApplicationPoliciesConnectionRulesRDPOptionalThe RDP-specific rules that define clipboard behavior for RDP connections.
The RDP-specific rules that define clipboard behavior for RDP connections.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Require this application to be served in an isolated browser for users matching this policy. ‘Client Web Isolation’ must be on for the account in order to use this feature.
MfaConfig AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigOptionalConfigures multi-factor authentication (MFA) settings.
Configures multi-factor authentication (MFA) settings.
AllowedAuthenticators []AccessApplicationGetResponseMcpServerPortalApplicationPoliciesMfaConfigAllowedAuthenticatorOptionalLists the MFA methods that users can authenticate with.
Lists the MFA methods that users can authenticate with.
The order of execution for this policy. Must be unique for each policy within an app.
A custom message that will appear on the purpose justification screen.
Require users to enter a justification when they log in to the application.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.
type AccessRuleAccessAuthContextRule struct{…}Matches an Azure Authentication Context.
Requires an Azure identity provider.
Matches an Azure Authentication Context. Requires an Azure identity provider.
type AuthenticationMethodRule struct{…}Enforce different MFA options
Enforce different MFA options
AuthMethod AuthenticationMethodRuleAuthMethod
The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.
type ExternalEvaluationRule struct{…}Create Allow or Block policies which evaluate the user based on custom criteria.
Create Allow or Block policies which evaluate the user based on custom criteria.
type GitHubOrganizationRule struct{…}Matches a Github organization.
Requires a Github identity provider.
Matches a Github organization. Requires a Github identity provider.
type GSuiteGroupRule struct{…}Matches a group in Google Workspace.
Requires a Google Workspace identity provider.
Matches a group in Google Workspace. Requires a Google Workspace identity provider.
type AccessRuleAccessOIDCClaimRule struct{…}Matches an OIDC claim.
Requires an OIDC identity provider.
Matches an OIDC claim. Requires an OIDC identity provider.
type AccessRuleAccessLinkedAppTokenRule struct{…}Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.
type AccessRuleAccessUserRiskScoreRule struct{…}Matches a user’s risk score.
Matches a user’s risk score.
UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore
UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreA list of risk score levels to match. Values can be low, medium, high, or unscored.
A list of risk score levels to match. Values can be low, medium, high, or unscored.
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
SCIMConfig AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigOptionalConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
The UID of the IdP to use as the source for SCIM resources to provision to this application.
Authentication AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationUnionOptionalAttributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication []AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationItemMultiple authentication schemes
Multiple authentication schemes
type SCIMConfigAuthenticationHTTPBasic struct{…}Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOAuthBearerToken struct{…}Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.
type SCIMConfigAuthenticationOauth2 struct{…}Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.
Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.
Secret used to authenticate when generating a token for authenticating with the remove SCIM service.
type AccessApplicationGetResponseMcpServerPortalApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken struct{…}Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.
If false, propagates DELETE requests to the target application for SCIM resources. If true, sets ‘active’ to false on the SCIM resource. Note: Some targets do not support DELETE operations.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.
A SCIM filter expression that matches resources that should be provisioned to this application.
Operations SCIMConfigMappingOperationsOptionalWhether or not this mapping applies to creates, updates, or deletes.
Whether or not this mapping applies to creates, updates, or deletes.
Strictness SCIMConfigMappingStrictnessOptionalThe level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.
A JSONata expression that transforms the resource before provisioning it in the application.
Get an Access application
package main
import (
"context"
"fmt"
"github.com/stainless-sdks/cloudflare-go"
"github.com/stainless-sdks/cloudflare-go/option"
"github.com/stainless-sdks/cloudflare-go/zero_trust"
)
func main() {
client := cloudflare.NewClient(
option.WithAPIToken("Sn3lZJTBX6kkg7OdcBUAxOO963GEIyGQqnFTOFYY"),
)
application, err := client.ZeroTrust.Access.Applications.Get(
context.TODO(),
"023e105f4ecef8ad9ca31a8372d0c353",
zero_trust.AccessApplicationGetParams{
},
)
if err != nil {
panic(err.Error())
}
fmt.Printf("%+v\n", application)
}
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
},
{
"type": "worker",
"worker_id": "617f1d0431a98306ff61e336d79fce86"
},
{
"type": "preview_worker",
"worker_id": "617f1d0431a98306ff61e336d79fce86"
},
{
"type": "all_workers"
},
{
"type": "all_preview_workers"
}
],
"eager_redirect_cookie_setting": true,
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"certificate": {}
}
],
"include": [
{
"certificate": {}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"certificate": {}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}Returns Examples
{
"errors": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"messages": [
{
"code": 1000,
"message": "message",
"documentation_url": "documentation_url",
"source": {
"pointer": "pointer"
}
}
],
"success": true,
"result": {
"domain": "test.example.com/admin",
"type": "self_hosted",
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"allow_authenticate_via_warp": true,
"allow_iframe": true,
"allowed_idps": [
"699d98642c564d2e855e9661899b7252"
],
"app_launcher_visible": true,
"aud": "737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893",
"auto_redirect_to_identity": true,
"cors_headers": {
"allow_all_headers": true,
"allow_all_methods": true,
"allow_all_origins": true,
"allow_credentials": true,
"allowed_headers": [
"string"
],
"allowed_methods": [
"GET"
],
"allowed_origins": [
"https://example.com"
],
"max_age": -1
},
"created_at": "2014-01-01T05:20:00.12345Z",
"custom_deny_message": "custom_deny_message",
"custom_deny_url": "custom_deny_url",
"custom_non_identity_deny_url": "custom_non_identity_deny_url",
"custom_pages": [
"699d98642c564d2e855e9661899b7252"
],
"destinations": [
{
"type": "public",
"uri": "test.example.com/admin"
},
{
"type": "public",
"uri": "test.anotherexample.com/staff"
},
{
"cidr": "10.5.0.0/24",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80-90",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "10.5.0.3/32",
"hostname": "hostname",
"l4_protocol": "tcp",
"port_range": "80",
"type": "private",
"vnet_id": "vnet_id"
},
{
"cidr": "cidr",
"hostname": "private-sni.example.com",
"l4_protocol": "tcp",
"port_range": "port_range",
"type": "private",
"vnet_id": "vnet_id"
},
{
"mcp_server_id": "mcp-server-1",
"type": "via_mcp_server_portal"
},
{
"type": "worker",
"worker_id": "617f1d0431a98306ff61e336d79fce86"
},
{
"type": "preview_worker",
"worker_id": "617f1d0431a98306ff61e336d79fce86"
},
{
"type": "all_workers"
},
{
"type": "all_preview_workers"
}
],
"eager_redirect_cookie_setting": true,
"enable_binding_cookie": true,
"http_only_cookie_attribute": true,
"logo_url": "https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg",
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Admin Site",
"oauth_configuration": {
"dynamic_client_registration": {
"allow_any_on_localhost": true,
"allow_any_on_loopback": true,
"allowed_uris": [
"https://example.com/callback"
],
"enabled": true
},
"enabled": true,
"grant": {
"access_token_lifetime": "5m",
"session_duration": "24h"
}
},
"options_preflight_bypass": true,
"path_cookie_attribute": true,
"policies": [
{
"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
"approval_groups": [
{
"approvals_needed": 1,
"email_addresses": [
"test1@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "email_list_uuid"
},
{
"approvals_needed": 3,
"email_addresses": [
"test@cloudflare.com",
"test2@cloudflare.com"
],
"email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
}
],
"approval_required": true,
"connection_rules": {
"rdp": {
"allowed_clipboard_local_to_remote_formats": [
"text"
],
"allowed_clipboard_remote_to_local_formats": [
"text"
]
}
},
"created_at": "2014-01-01T05:20:00.12345Z",
"decision": "allow",
"exclude": [
{
"certificate": {}
}
],
"include": [
{
"certificate": {}
}
],
"isolation_required": false,
"mfa_config": {
"allowed_authenticators": [
"totp",
"biometrics",
"security_key"
],
"mfa_disabled": false,
"session_duration": "24h"
},
"name": "Allow devs",
"precedence": 0,
"purpose_justification_prompt": "Please enter a justification for entering this protected domain.",
"purpose_justification_required": true,
"require": [
{
"certificate": {}
}
],
"session_duration": "24h",
"updated_at": "2014-01-01T05:20:00.12345Z"
}
],
"read_service_tokens_from_header": "Authorization",
"same_site_cookie_attribute": "strict",
"scim_config": {
"idp_uid": "idp_uid",
"remote_uri": "remote_uri",
"authentication": {
"password": "password",
"scheme": "httpbasic",
"user": "user"
},
"deactivate_on_delete": true,
"enabled": true,
"mappings": [
{
"schema": "urn:ietf:params:scim:schemas:core:2.0:User",
"enabled": true,
"filter": "title pr or userType eq \"Intern\"",
"operations": {
"create": true,
"delete": true,
"update": true
},
"strictness": "strict",
"transform_jsonata": "$merge([$, {'userName': $substringBefore($.userName, '@') & '+test@' & $substringAfter($.userName, '@')}])"
}
]
},
"self_hosted_domains": [
"test.example.com/admin",
"test.anotherexample.com/staff"
],
"service_auth_401_redirect": true,
"session_duration": "24h",
"skip_interstitial": true,
"tags": [
"engineers"
],
"updated_at": "2014-01-01T05:20:00.12345Z",
"use_clientless_isolation_app_launcher_url": false
}
}