API Reference

Zero Trust

Access

Applications

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Policies

List Access application policies

client.ZeroTrust.Access.Applications.Policies.List(ctx, appID, params) (*V4PagePaginationArray[AccessApplicationPolicyListResponse], error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies

Get an Access application policy

client.ZeroTrust.Access.Applications.Policies.Get(ctx, appID, policyID, query) (*AccessApplicationPolicyGetResponse, error)

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Create an Access application policy

client.ZeroTrust.Access.Applications.Policies.New(ctx, appID, params) (*AccessApplicationPolicyNewResponse, error)

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies

Update an Access application policy

client.ZeroTrust.Access.Applications.Policies.Update(ctx, appID, policyID, params) (*AccessApplicationPolicyUpdateResponse, error)

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

Delete an Access application policy

client.ZeroTrust.Access.Applications.Policies.Delete(ctx, appID, policyID, body) (*AccessApplicationPolicyDeleteResponse, error)

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/policies/{policy_id}

ModelsExpand Collapse

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type AccessRule interface{…}

Matches an Access group.

One of the following:

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AccessRuleAccessAuthContextRule struct{…}

Matches an Azure Authentication Context. Requires an Azure identity provider.

AuthContext AccessRuleAccessAuthContextRuleAuthContext

ID string

The ID of an Authentication context.

AcID string

The ACID of an Authentication context.

IdentityProviderID string

The ID of your Azure identity provider.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type AccessRuleAccessCommonNameRule struct{…}

Matches a specific common name.

CommonName AccessRuleAccessCommonNameRuleCommonName

CommonName string

The common name to match.

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type AccessDevicePostureRule struct{…}

Enforces a device posture rule has run successfully

DevicePosture AccessDevicePostureRuleDevicePosture

IntegrationUID string

The ID of a device posture integration.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringOptional

The name of the team

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type AccessRuleAccessLoginMethodRule struct{…}

Matches a specific identity provider id.

LoginMethod AccessRuleAccessLoginMethodRuleLoginMethod

ID string

The ID of an identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type AccessRuleAccessOIDCClaimRule struct{…}

Matches an OIDC claim. Requires an OIDC identity provider.

OIDC AccessRuleAccessOIDCClaimRuleOIDC

ClaimName string

The name of the OIDC claim.

ClaimValue string

The OIDC claim value to look for.

IdentityProviderID string

The ID of your OIDC identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.

type AccessRuleAccessLinkedAppTokenRule struct{…}

Matches OAuth 2.0 access tokens issued by the specified Access OIDC SaaS application. Only compatible with non_identity and bypass decisions.

LinkedAppToken AccessRuleAccessLinkedAppTokenRuleLinkedAppToken

AppUID string

The ID of an Access OIDC SaaS application

type AccessRuleAccessUserRiskScoreRule struct{…}

Matches a user’s risk score.

UserRiskScore AccessRuleAccessUserRiskScoreRuleUserRiskScore

UserRiskScore []AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore

A list of risk score levels to match. Values can be low, medium, high, or unscored.

One of the following:

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreLow AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "low"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreMedium AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "medium"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreHigh AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "high"

const AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScoreUnscored AccessRuleAccessUserRiskScoreRuleUserRiskScoreUserRiskScore = "unscored"

type AccessRuleAccessCloudflareAccountMemberRule struct{…}

Matches users who are members of a specific Cloudflare account. Requires a Cloudflare identity provider.

CloudflareAccountMember AccessRuleAccessCloudflareAccountMemberRuleCloudflareAccountMember

AccountID stringOptional

Identifier.

maxLength32

type AnyValidServiceTokenRule struct{…}

Matches any valid Access Service Token

AnyValidServiceToken AnyValidServiceTokenRuleAnyValidServiceToken

An empty object which matches on all service tokens.

type AuthenticationMethodRule struct{…}

Enforce different MFA options

AuthMethod AuthenticationMethodRuleAuthMethod

AuthMethod string

The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176#section-2.

type AzureGroupRule struct{…}

Matches an Azure group. Requires an Azure identity provider.

AzureAD AzureGroupRuleAzureAD

ID string

The ID of an Azure group.

IdentityProviderID string

The ID of your Azure identity provider.

type CertificateRule struct{…}

Matches any valid client certificate.

Certificate CertificateRuleCertificate

type CountryRule struct{…}

Matches a specific country

Geo CountryRuleGeo

CountryCode string

The country code that should be matched.

type DomainRule struct{…}

Match an entire email domain.

EmailDomain DomainRuleEmailDomain

Domain string

The email domain to match.

type EmailListRule struct{…}

Matches an email address from a list.

EmailList EmailListRuleEmailList

ID string

The ID of a previously created email list.

type EmailRule struct{…}

Matches a specific email.

Email EmailRuleEmail

Email string

The email of the user.

formatemail

type EveryoneRule struct{…}

Matches everyone.

Everyone EveryoneRuleEveryone

An empty object which matches on all users.

type ExternalEvaluationRule struct{…}

Create Allow or Block policies which evaluate the user based on custom criteria.

ExternalEvaluation ExternalEvaluationRuleExternalEvaluation

EvaluateURL string

The API endpoint containing your business logic.

KeysURL string

The API endpoint containing the key that Access uses to verify that the response came from your API.

type GitHubOrganizationRule struct{…}

Matches a Github organization. Requires a Github identity provider.

GitHubOrganization GitHubOrganizationRuleGitHubOrganization

IdentityProviderID string

The ID of your Github identity provider.

Name string

The name of the organization.

Team stringOptional

The name of the team

type GroupRule struct{…}

Matches an Access group.

Group GroupRuleGroup

ID string

The ID of a previously created Access group.

type GSuiteGroupRule struct{…}

Matches a group in Google Workspace. Requires a Google Workspace identity provider.

GSuite GSuiteGroupRuleGSuite

Email string

The email of the Google Workspace group.

IdentityProviderID string

The ID of your Google Workspace identity provider.

type IPListRule struct{…}

Matches an IP address from a list.

IPList IPListRuleIPList

ID string

The ID of a previously created IP list.

type IPRule struct{…}

Matches an IP address block.

IP IPRuleIP

IP string

An IPv4 or IPv6 CIDR block.

type OktaGroupRule struct{…}

Matches an Okta group. Requires an Okta identity provider.

Okta OktaGroupRuleOkta

IdentityProviderID string

The ID of your Okta identity provider.

Name string

The name of the Okta group.

type SAMLGroupRule struct{…}

Matches a SAML group. Requires a SAML identity provider.

SAML SAMLGroupRuleSAML

AttributeName string

The name of the SAML attribute.

AttributeValue string

The SAML attribute value to look for.

IdentityProviderID string

The ID of your SAML identity provider.

type ServiceTokenRule struct{…}

Matches a specific Access Service Token

ServiceToken ServiceTokenRuleServiceToken

TokenID string

The ID of a Service Token.