API Reference

Zero Trust

Copy Markdown

Open in Claude

Open in ChatGPT

Open in Cursor

---

Copy Markdown

View as Markdown

Access

AccessAI Controls

AccessAI ControlsMcp

AccessAI ControlsMcpPortals

List MCP Portals

GET/accounts/{account_id}/access/ai-controls/mcp/portals

Create a new MCP Portal

POST/accounts/{account_id}/access/ai-controls/mcp/portals

Read details of an MCP Portal

GET/accounts/{account_id}/access/ai-controls/mcp/portals/{id}

Update a MCP Portal

PUT/accounts/{account_id}/access/ai-controls/mcp/portals/{id}

Delete a MCP Portal

DELETE/accounts/{account_id}/access/ai-controls/mcp/portals/{id}

ModelsExpand Collapse

PortalListResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

name: string

maxLength350

servers: array of object { id, auth_type, hostname, 19 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

updated_tools: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalCreateResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

name: string

maxLength350

servers: array of object { id, auth_type, hostname, 19 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

updated_tools: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalReadResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

name: string

maxLength350

servers: array of object { id, auth_type, hostname, 19 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

updated_tools: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalUpdateResponse object { id, hostname, name, 8 more }

id: string

portal id

maxLength32

minLength1

hostname: string

name: string

maxLength350

servers: array of object { id, auth_type, hostname, 19 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

default_disabled: optional boolean

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

on_behalf: optional boolean

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

updated_tools: optional array of object { name, enabled, portal_alias, 3 more }

name: string

enabled: optional boolean

portal_alias: optional string

portal_description: optional string

server_alias: optional string

server_description: optional string

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

PortalDeleteResponse object { id, hostname, name, 7 more }

id: string

portal id

maxLength32

minLength1

hostname: string

name: string

maxLength350

allow_code_mode: optional boolean

Allow remote code execution in Dynamic Workers (beta)

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound MCP traffic through Zero Trust Secure Web Gateway

AccessAI ControlsMcpServers

List MCP Servers

GET/accounts/{account_id}/access/ai-controls/mcp/servers

Create a new MCP Server

POST/accounts/{account_id}/access/ai-controls/mcp/servers

Read the details of a MCP Server

GET/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Update a MCP Server

PUT/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Delete a MCP Server

DELETE/accounts/{account_id}/access/ai-controls/mcp/servers/{id}

Sync MCP Server Capabilities

POST/accounts/{account_id}/access/ai-controls/mcp/servers/{id}/sync

ModelsExpand Collapse

ServerListResponse object { id, auth_type, hostname, 17 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerCreateResponse object { id, auth_type, hostname, 17 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerReadResponse object { id, auth_type, hostname, 17 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerUpdateResponse object { id, auth_type, hostname, 17 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerDeleteResponse object { id, auth_type, hostname, 17 more }

id: string

server id

maxLength32

minLength1

auth_type: "oauth" or "bearer" or "unauthenticated"

One of the following:

"oauth"

"bearer"

"unauthenticated"

hostname: string

formaturi

name: string

maxLength350

prompts: array of map[unknown]

tools: array of map[unknown]

created_at: optional string

formatdate-time

created_by: optional string

description: optional string

maxLength512

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

is_shared_oauth_callback_enabled: optional boolean

When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. Defaults to false (off); opt in per server by setting true. Effective behavior is gated by the gateway worker’s per-env rollout mode KV key.

last_successful_sync: optional string

formatdate-time

last_synced: optional string

formatdate-time

modified_at: optional string

formatdate-time

modified_by: optional string

secure_web_gateway: optional boolean

Route outbound traffic to this MCP server through Zero Trust Secure Web Gateway

status: optional string

updated_prompts: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

updated_tools: optional array of object { name, alias, description, enabled }

name: string

alias: optional string

maxLength40

description: optional string

enabled: optional boolean

ServerSyncResponse object { error, error_details, status }

error: optional string

error_details: optional object { cause, is_upstream, mcp_code, 2 more }

cause: optional string

Underlying error message

is_upstream: optional boolean

True = MCP server returned an error. False = couldn’t reach the server

mcp_code: optional number

MCP protocol error code

retryable: optional boolean

Whether the error is transient and worth retrying

status_code: optional number

HTTP status code from the server

status: optional string

AccessGateway CA

List SSH Certificate Authorities (CA)

GET/accounts/{account_id}/access/gateway_ca

Add a new SSH Certificate Authority (CA)

POST/accounts/{account_id}/access/gateway_ca

Delete an SSH Certificate Authority (CA)

DELETE/accounts/{account_id}/access/gateway_ca/{certificate_id}

ModelsExpand Collapse

GatewayCAListResponse object { id, public_key }

id: optional string

The key ID of this certificate.

public_key: optional string

The public key of this certificate.

GatewayCACreateResponse object { id, public_key }

id: optional string

The key ID of this certificate.

public_key: optional string

The public key of this certificate.

GatewayCADeleteResponse object { id }

id: optional string

UUID.

maxLength36

AccessIdP Federation Grants

List IdP federation grants

GET/accounts/{account_id}/access/idp_federation_grants

Create an IdP federation grant

POST/accounts/{account_id}/access/idp_federation_grants

Get an IdP federation grant

GET/accounts/{account_id}/access/idp_federation_grants/{grant_id}

Delete an IdP federation grant

DELETE/accounts/{account_id}/access/idp_federation_grants/{grant_id}

ModelsExpand Collapse

IdPFederationGrant object { id, idp_id }

id: string

UID of the IdP federation grant.

maxLength32

idp_id: string

UID of the identity provider being federated.

formatuuid

IdPFederationGrantListResponse = array of IdPFederationGrant { id, idp_id }

id: string

UID of the IdP federation grant.

maxLength32

idp_id: string

UID of the identity provider being federated.

formatuuid

IdPFederationGrantDeleteResponse object { id }

id: optional string

UID of the deleted IdP federation grant.

maxLength32

AccessSAML Certificates

List SAML certificate sets

GET/accounts/{account_id}/access/saml_certificates

Get SAML certificate set

GET/accounts/{account_id}/access/saml_certificates/{saml_cert_set_id}

Rotate SAML certificate

POST/accounts/{account_id}/access/saml_certificates/{saml_cert_set_id}/rotate

Download current certificate in PEM format

GET/accounts/{account_id}/access/saml_certificates/{saml_cert_set_id}/pem

ModelsExpand Collapse

SAMLCertificateListResponse object { created_at, uid, updated_at, 2 more }

created_at: string

When the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

updated_at: string

When the certificate set was last updated

formatdate-time

current_certificate: optional object { is_current, not_after, public_certificate, uid }

The current active certificate

is_current: boolean

Indicates whether the certificate can be used for IdP configuration.

not_after: string

Certificate expiration date

formatdate-time

public_certificate: string

The public certificate in PEM format

uid: string

Unique identifier for the certificate

previous_certificate: optional unknown

The previous certificate (maintained during rotation period). May be null when no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateGetResponse object { created_at, uid, updated_at, 2 more }

created_at: string

When the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

updated_at: string

When the certificate set was last updated

formatdate-time

current_certificate: optional object { is_current, not_after, public_certificate, uid }

The current active certificate

is_current: boolean

Indicates whether the certificate can be used for IdP configuration.

not_after: string

Certificate expiration date

formatdate-time

public_certificate: string

The public certificate in PEM format

uid: string

Unique identifier for the certificate

previous_certificate: optional unknown

The previous certificate (maintained during rotation period). May be null when no rotation has occurred. Mirrors the structure of saml_certificate.

SAMLCertificateRotateResponse object { created_at, uid, updated_at, 2 more }

created_at: string

When the certificate set was created

formatdate-time

uid: string

Unique identifier for the certificate set

updated_at: string

When the certificate set was last updated

formatdate-time

current_certificate: optional object { is_current, not_after, public_certificate, uid }

The current active certificate

is_current: boolean

Indicates whether the certificate can be used for IdP configuration.

not_after: string

Certificate expiration date

formatdate-time

public_certificate: string

The public certificate in PEM format

uid: string

Unique identifier for the certificate

previous_certificate: optional unknown

The previous certificate (maintained during rotation period). May be null when no rotation has occurred. Mirrors the structure of saml_certificate.

AccessInfrastructure

AccessInfrastructureTargets

List all targets

GET/accounts/{account_id}/infrastructure/targets

Get target

GET/accounts/{account_id}/infrastructure/targets/{target_id}

Create new target

POST/accounts/{account_id}/infrastructure/targets

Update target

PUT/accounts/{account_id}/infrastructure/targets/{target_id}

Delete target

DELETE/accounts/{account_id}/infrastructure/targets/{target_id}

Create new targets

PUT/accounts/{account_id}/infrastructure/targets/batch

Delete targets (Deprecated)

Deprecated

DELETE/accounts/{account_id}/infrastructure/targets/batch

Delete targets

POST/accounts/{account_id}/infrastructure/targets/batch_delete

ModelsExpand Collapse

TargetListResponse object { id, created_at, hostname, 2 more }

id: string

Target identifier

formatuuid

maxLength36

created_at: string

Date and time at which the target was created

formatdate-time

hostname: string

A non-unique field that refers to a target

ip: object { ipv4, ipv6 }

The IPv4/IPv6 address that identifies where to reach a target

ipv4: optional object { ip_addr, virtual_network_id }

The target’s IPv4 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

ipv6: optional object { ip_addr, virtual_network_id }

The target’s IPv6 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

modified_at: string

Date and time at which the target was modified

formatdate-time

TargetGetResponse object { id, created_at, hostname, 2 more }

id: string

Target identifier

formatuuid

maxLength36

created_at: string

Date and time at which the target was created

formatdate-time

hostname: string

A non-unique field that refers to a target

ip: object { ipv4, ipv6 }

The IPv4/IPv6 address that identifies where to reach a target

ipv4: optional object { ip_addr, virtual_network_id }

The target’s IPv4 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

ipv6: optional object { ip_addr, virtual_network_id }

The target’s IPv6 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

modified_at: string

Date and time at which the target was modified

formatdate-time

TargetCreateResponse object { id, created_at, hostname, 2 more }

id: string

Target identifier

formatuuid

maxLength36

created_at: string

Date and time at which the target was created

formatdate-time

hostname: string

A non-unique field that refers to a target

ip: object { ipv4, ipv6 }

The IPv4/IPv6 address that identifies where to reach a target

ipv4: optional object { ip_addr, virtual_network_id }

The target’s IPv4 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

ipv6: optional object { ip_addr, virtual_network_id }

The target’s IPv6 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

modified_at: string

Date and time at which the target was modified

formatdate-time

TargetUpdateResponse object { id, created_at, hostname, 2 more }

id: string

Target identifier

formatuuid

maxLength36

created_at: string

Date and time at which the target was created

formatdate-time

hostname: string

A non-unique field that refers to a target

ip: object { ipv4, ipv6 }

The IPv4/IPv6 address that identifies where to reach a target

ipv4: optional object { ip_addr, virtual_network_id }

The target’s IPv4 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

ipv6: optional object { ip_addr, virtual_network_id }

The target’s IPv6 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

modified_at: string

Date and time at which the target was modified

formatdate-time

TargetBulkUpdateResponse object { id, created_at, hostname, 2 more }

id: string

Target identifier

formatuuid

maxLength36

created_at: string

Date and time at which the target was created

formatdate-time

hostname: string

A non-unique field that refers to a target

ip: object { ipv4, ipv6 }

The IPv4/IPv6 address that identifies where to reach a target

ipv4: optional object { ip_addr, virtual_network_id }

The target’s IPv4 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

ipv6: optional object { ip_addr, virtual_network_id }

The target’s IPv6 address

ip_addr: optional string

IP address of the target

virtual_network_id: optional string

(optional) Private virtual network identifier for the target. If omitted, the default virtual network ID will be used.

formatuuid

modified_at: string

Date and time at which the target was modified

formatdate-time

AccessApplications

List Access applications

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps

Get an Access application

GET/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Add an Access application

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps

Update an Access application

PUT/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Delete an Access application

DELETE/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}

Revoke application tokens

POST/{accounts_or_zones}/{account_or_zone_id}/access/apps/{app_id}/revoke_tokens

ModelsExpand Collapse

AllowedHeaders = string

AllowedIdPs = string

The identity providers selected for application.

AllowedMethods = "GET" or "POST" or "HEAD" or 6 more

One of the following:

"GET"

"POST"

"HEAD"

"PUT"

"DELETE"

"CONNECT"

"OPTIONS"

"TRACE"

"PATCH"

AllowedOrigins = string

AppID = string

Identifier.

Application = object { domain, type, id, 22 more } or object { id, allowed_idps, app_launcher_visible, 9 more } or object { domain, type, id, 22 more } or 5 more

One of the following:

SelfHostedApplication object { domain, type, id, 22 more }

domain: string

The domain and path that Access will secure.

type: string

The application type.

id: optional string

UUID.

maxLength36

allow_iframe: optional boolean

Enables loading application content in an iFrame.

allowed_idps: optional array of AllowedIdPs

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

app_launcher_visible: optional boolean

Displays the application in the App Launcher.

aud: optional string

Audience tag.

maxLength64

auto_redirect_to_identity: optional boolean

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

cors_headers: optional object { allow_all_headers, allow_all_methods, allow_all_origins, 5 more }

allow_all_headers: optional boolean

Allows all HTTP request headers.

allow_all_methods: optional boolean

Allows all HTTP request methods.

allow_all_origins: optional boolean

Allows all origins.

allow_credentials: optional boolean

When set to true, includes credentials (cookies, authorization headers, or TLS client certificates) with requests.

allowed_headers: optional array of unknown

Allowed HTTP request headers.

allowed_methods: optional array of AllowedMethods

Allowed HTTP request methods.

One of the following:

"GET"

"POST"

"HEAD"

"PUT"

"DELETE"

"CONNECT"

"OPTIONS"

"TRACE"

"PATCH"

allowed_origins: optional array of unknown

Allowed origins.

max_age: optional number

The maximum number of seconds the results of a preflight request can be cached.

maximum86400

minimum-1

created_at: optional string

formatdate-time

custom_deny_message: optional string

The custom error message shown to a user when they are denied access to the application.

custom_deny_url: optional string

The custom URL a user is redirected to when they are denied access to the application.

eager_redirect_cookie_setting: optional boolean

Preemptively sets the Access session cookie on every hostname in a multi-hostname self-hosted application during the initial redirect chain, rather than setting it lazily on first visit. Defaults to true. Set to false to disable the eager redirect cookie behavior.

enable_binding_cookie: optional boolean

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

http_only_cookie_attribute: optional boolean

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

logo_url: optional string

The image URL for the logo shown in the App Launcher dashboard.

name: optional string

The name of the application.

options_preflight_bypass: optional boolean

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

same_site_cookie_attribute: optional string

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

scim_config: optional object { idp_uid, remote_uri, authentication, 3 more }

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

idp_uid: string

The UID of the IdP to use as the source for SCIM resources to provision to this application.

remote_uri: string

The base URI for the application’s SCIM-compatible API.

authentication: optional SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or object { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or 2 more

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

One of the following:

SCIMConfigAuthenticationHTTPBasic object { password, scheme, user }

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

password: string

Password used to authenticate with the remote SCIM service.

scheme: "httpbasic"

The authentication scheme to use when making SCIM requests to this application.

user: string

User name used to authenticate with the remote SCIM service.

AccessSCIMConfigAuthenticationOAuthBearerToken2 object { token, scheme }

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

token: string

Token used to authenticate with the remote SCIM service.

scheme: "oauthbearertoken"

The authentication scheme to use when making SCIM requests to this application.

SCIMConfigAuthenticationOauth2 object { authorization_url, client_id, client_secret, 3 more }

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

authorization_url: string

URL used to generate the auth code used during token generation.

client_id: string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

client_secret: string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

scheme: "oauth2"

The authentication scheme to use when making SCIM requests to this application.

token_url: string

URL used to generate the token used to authenticate with the remote SCIM service.

scopes: optional array of string

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

AccessSCIMConfigAuthenticationAccessServiceToken object { client_id, client_secret, scheme }

Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.

client_id: string

Client ID of the Access service token used to authenticate with the remote service.

client_secret: string

Client secret of the Access service token used to authenticate with the remote service.

scheme: "access_service_token"

The authentication scheme to use when making SCIM requests to this application.

AccessSCIMConfigMultiAuthentication2 = array of SCIMConfigAuthenticationHTTPBasic { password, scheme, user } or object { token, scheme } or SCIMConfigAuthenticationOauth2 { authorization_url, client_id, client_secret, 3 more } or object { client_id, client_secret, scheme }

Multiple authentication schemes

One of the following:

SCIMConfigAuthenticationHTTPBasic object { password, scheme, user }

Attributes for configuring HTTP Basic authentication scheme for SCIM provisioning to an application.

password: string

Password used to authenticate with the remote SCIM service.

scheme: "httpbasic"

The authentication scheme to use when making SCIM requests to this application.

user: string

User name used to authenticate with the remote SCIM service.

AccessSCIMConfigAuthenticationOAuthBearerToken2 object { token, scheme }

Attributes for configuring OAuth Bearer Token authentication scheme for SCIM provisioning to an application.

token: string

Token used to authenticate with the remote SCIM service.

scheme: "oauthbearertoken"

The authentication scheme to use when making SCIM requests to this application.

SCIMConfigAuthenticationOauth2 object { authorization_url, client_id, client_secret, 3 more }

Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning to an application.

authorization_url: string

URL used to generate the auth code used during token generation.

client_id: string

Client ID used to authenticate when generating a token for authenticating with the remote SCIM service.

client_secret: string

Secret used to authenticate when generating a token for authenticating with the remove SCIM service.

scheme: "oauth2"

The authentication scheme to use when making SCIM requests to this application.

token_url: string

URL used to generate the token used to authenticate with the remote SCIM service.

scopes: optional array of string

The authorization scopes to request when generating the token used to authenticate with the remove SCIM service.

AccessSCIMConfigAuthenticationAccessServiceToken object { client_id, client_secret, scheme }

Attributes for configuring Access Service Token authentication scheme for SCIM provisioning to an application.

client_id: string

Client ID of the Access service token used to authenticate with the remote service.

client_secret: string

Client secret of the Access service token used to authenticate with the remote service.

scheme: "access_service_token"

The authentication scheme to use when making SCIM requests to this application.

deactivate_on_delete: optional boolean

If false, we propagate DELETE requests to the target application for SCIM resources. If true, we only set active to false on the SCIM resource. This is useful because some targets do not support DELETE operations.

enabled: optional boolean

Whether SCIM provisioning is turned on for this application.

mappings: optional array of SCIMConfigMapping { schema, enabled, filter, 3 more }

A list of mappings to apply to SCIM resources before provisioning them in this application. These can transform or filter the resources to be provisioned.

schema: string

Which SCIM resource type this mapping applies to.

enabled: optional boolean

Whether or not this mapping is enabled.

filter: optional string

A SCIM filter expression that matches resources that should be provisioned to this application.

operations: optional object { create, delete, update }

Whether or not this mapping applies to creates, updates, or deletes.

create: optional boolean

Whether or not this mapping applies to create (POST) operations.

delete: optional boolean

Whether or not this mapping applies to DELETE operations.

update: optional boolean

Whether or not this mapping applies to update (PATCH/PUT) operations.

strictness: optional "strict" or "passthrough"

The level of adherence to outbound resource schemas when provisioning to this mapping. ‘Strict’ removes unknown values, while ‘passthrough’ passes unknown values to the target.

One of the following:

"strict"

"passthrough"

transform_jsonata: optional string

A JSONata expression that transforms the resource before provisioning it in the application.

service_auth_401_redirect: optional boolean

Returns a 401 status code when the request is blocked by a Service Auth policy.

session_duration: optional string

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

skip_interstitial: optional boolean

Enables automatic authentication through cloudflared.

updated_at: optional string

formatdate-time

use_clientless_isolation_app_launcher_url: optional boolean

Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.

SaaSApplication object { id, allowed_idps, app_launcher_visible, 9 more }

id: optional string

UUID.

maxLength36

allowed_idps: optional array of AllowedIdPs

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

app_launcher_visible: optional boolean

Displays the application in the App Launcher.

aud: optional string

Audience tag.

maxLength64

auto_redirect_to_identity: optional boolean

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

created_at: optional string

formatdate-time

logo_url: optional string

The image URL for the logo shown in the App Launcher dashboard.

name: optional string

The name of the application.

saas_app: optional object { auth_type, consumer_service_url, created_at, 8 more } or object { access_token_lifetime, allow_pkce_without_client_secret, app_launcher_url, 13 more }

One of the following:

AccessSAMLSaaSApp2 object { auth_type, consumer_service_url, created_at, 8 more }

auth_type: optional "saml" or "oidc"

Optional identifier indicating the authentication protocol used for the saas app. Required for OIDC. Default if unset is “saml”

One of the following:

"saml"

"oidc"

consumer_service_url: optional string

The service provider’s endpoint that is responsible for receiving and parsing a SAML assertion.

created_at: optional string

formatdate-time

custom_attributes: optional array of object { friendly_name, name, name_format, 2 more }

friendly_name: optional string

The SAML FriendlyName of the attribute.

name: optional string

The name of the attribute.

name_format: optional "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" or "urn:oasis:names:tc:SAML:2.0:attrname-format:basic" or "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

A globally unique name for an identity or service provider.

One of the following:

"urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"

"urn:oasis:names:tc:SAML:2.0:attrname-format:basic"

"urn:oasis:names:tc:SAML:2.0:attrname-format:uri"

required: optional boolean

If the attribute is required when building a SAML assertion.

source: optional object { name, name_by_idp }

name: optional string

The name of the IdP attribute.

name_by_idp: optional map[string]

A mapping from IdP ID to attribute name.