cloudflare

import * as Core from 'cloudflare/core'; import { APIResource } from 'cloudflare/resource'; import * as ApplicationsAPI from 'cloudflare/resources/zero-trust/access/applications/applications'; import * as CAsAPI from 'cloudflare/resources/zero-trust/access/applications/cas'; import * as PoliciesAPI from 'cloudflare/resources/zero-trust/access/applications/policies'; import * as UserPolicyChecksAPI from 'cloudflare/resources/zero-trust/access/applications/user-policy-checks'; import { SinglePage } from 'cloudflare/pagination'; export declare class Applications extends APIResource { cas: CAsAPI.CAs; userPolicyChecks: UserPolicyChecksAPI.UserPolicyChecks; policies: PoliciesAPI.Policies; /** * Adds a new application to Access. */ create(params: ApplicationCreateParams, options?: Core.RequestOptions): Core.APIPromise<ZeroTrustApps>; /** * Updates an Access application. */ update(appId: string | string, params: ApplicationUpdateParams, options?: Core.RequestOptions): Core.APIPromise<ZeroTrustApps>; /** * Lists all Access applications in an account or zone. */ list(params?: ApplicationListParams, options?: Core.RequestOptions): Core.PagePromise<ZeroTrustAppsSinglePage, ZeroTrustApps>; list(options?: Core.RequestOptions): Core.PagePromise<ZeroTrustAppsSinglePage, ZeroTrustApps>; /** * Deletes an application from Access. */ delete(appId: string | string, params?: ApplicationDeleteParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationDeleteResponse>; delete(appId: string | string, options?: Core.RequestOptions): Core.APIPromise<ApplicationDeleteResponse>; /** * Fetches information about an Access application. */ get(appId: string | string, params?: ApplicationGetParams, options?: Core.RequestOptions): Core.APIPromise<ZeroTrustApps>; get(appId: string | string, options?: Core.RequestOptions): Core.APIPromise<ZeroTrustApps>; /** * Revokes all tokens issued for an application. */ revokeTokens(appId: string | string, params?: ApplicationRevokeTokensParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationRevokeTokensResponse | null>; revokeTokens(appId: string | string, options?: Core.RequestOptions): Core.APIPromise<ApplicationRevokeTokensResponse | null>; } export declare class ZeroTrustAppsSinglePage extends SinglePage<ZeroTrustApps> { } export type ZeroTrustApps = ZeroTrustApps.SelfHostedApplication | ZeroTrustApps.SaaSApplication | ZeroTrustApps.BrowserSSHApplication | ZeroTrustApps.BrowserVncApplication | ZeroTrustApps.AppLauncherApplication | ZeroTrustApps.DeviceEnrollmentPermissionsApplication | ZeroTrustApps.BrowserIsolationPermissionsApplication | ZeroTrustApps.BookmarkApplication; export declare namespace ZeroTrustApps { interface SelfHostedApplication { /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * When set to true, users can authenticate to this application using their WARP * session. When set to false this application will always require direct IdP * authentication. This setting always overrides the organization setting for WARP * authentication. */ allow_authenticate_via_warp?: boolean; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: SelfHostedApplication.CorsHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing identity-based rules. */ custom_deny_url?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<string>; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Enables cookie paths to scope an application's JWT to the application path. If * disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * List of domains that Access will secure. */ self_hosted_domains?: Array<string>; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; updated_at?: string; } namespace SelfHostedApplication { interface CorsHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<string>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'>; /** * Allowed origins. */ allowed_origins?: Array<string>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface SaaSApplication { /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<string>; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; saas_app?: SaaSApplication.AccessSamlSaasApp | SaaSApplication.AccessOidcSaasApp; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; /** * The application type. */ type?: string; updated_at?: string; } namespace SaaSApplication { interface AccessSamlSaasApp { /** * Optional identifier indicating the authentication protocol used for the saas * app. Required for OIDC. Default if unset is "saml" */ auth_type?: 'saml' | 'oidc'; /** * The service provider's endpoint that is responsible for receiving and parsing a * SAML assertion. */ consumer_service_url?: string; created_at?: string; custom_attributes?: AccessSamlSaasApp.CustomAttributes; /** * The URL that the user will be redirected to after a successful login for IDP * initiated logins. */ default_relay_state?: string; /** * The unique identifier for your SaaS application. */ idp_entity_id?: string; /** * The format of the name identifier sent to the SaaS application. */ name_id_format?: 'id' | 'email'; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's * user identities into a NameID value for its SAML assertion. This expression * should evaluate to a singular string. The output of this expression can override * the `name_id_format` setting. */ name_id_transform_jsonata?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * A [JSONata] (https://jsonata.org/) expression that transforms an application's * user identities into attribute assertions in the SAML response. The expression * can transform id, email, name, and groups values. It can also transform fields * listed in the saml_attributes or oidc_fields of the identity provider used to * authenticate. The output of this expression must be a JSON object. */ saml_attribute_transform_jsonata?: string; /** * A globally unique name for an identity or service provider. */ sp_entity_id?: string; /** * The endpoint where your SaaS application will send login requests. */ sso_endpoint?: string; updated_at?: string; } namespace AccessSamlSaasApp { interface CustomAttributes { /** * The name of the attribute. */ name?: string; /** * A globally unique name for an identity or service provider. */ name_format?: 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'; source?: CustomAttributes.Source; } namespace CustomAttributes { interface Source { /** * The name of the IdP attribute. */ name?: string; } } } interface AccessOidcSaasApp { /** * The URL where this applications tile redirects users */ app_launcher_url?: string; /** * Identifier of the authentication protocol used for the saas app. Required for * OIDC. */ auth_type?: 'saml' | 'oidc'; /** * The application client id */ client_id?: string; /** * The application client secret, only returned on POST request. */ client_secret?: string; created_at?: string; /** * The OIDC flows supported by this application */ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce'>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ group_filter_regex?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID * tokens */ redirect_uris?: Array<string>; /** * Define the user information shared with access */ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>; updated_at?: string; } } interface BrowserSSHApplication { /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * When set to true, users can authenticate to this application using their WARP * session. When set to false this application will always require direct IdP * authentication. This setting always overrides the organization setting for WARP * authentication. */ allow_authenticate_via_warp?: boolean; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: BrowserSSHApplication.CorsHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing identity-based rules. */ custom_deny_url?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<string>; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Enables cookie paths to scope an application's JWT to the application path. If * disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * List of domains that Access will secure. */ self_hosted_domains?: Array<string>; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; updated_at?: string; } namespace BrowserSSHApplication { interface CorsHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<string>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'>; /** * Allowed origins. */ allowed_origins?: Array<string>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface BrowserVncApplication { /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * When set to true, users can authenticate to this application using their WARP * session. When set to false this application will always require direct IdP * authentication. This setting always overrides the organization setting for WARP * authentication. */ allow_authenticate_via_warp?: boolean; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: BrowserVncApplication.CorsHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing identity-based rules. */ custom_deny_url?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<string>; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Enables cookie paths to scope an application's JWT to the application path. If * disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * List of domains that Access will secure. */ self_hosted_domains?: Array<string>; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; updated_at?: string; } namespace BrowserVncApplication { interface CorsHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<string>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'>; /** * Allowed origins. */ allowed_origins?: Array<string>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface AppLauncherApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain?: string; /** * The name of the application. */ name?: string; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface DeviceEnrollmentPermissionsApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain?: string; /** * The name of the application. */ name?: string; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface BrowserIsolationPermissionsApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain?: string; /** * The name of the application. */ name?: string; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface BookmarkApplication { /** * UUID */ id?: string; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; created_at?: string; /** * The URL or domain of the bookmark. */ domain?: string; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; /** * The application type. */ type?: string; updated_at?: string; } } export interface ApplicationDeleteResponse { /** * UUID */ id?: string; } export type ApplicationRevokeTokensResponse = unknown; export type ApplicationCreateParams = ApplicationCreateParams.SelfHostedApplication | ApplicationCreateParams.SaaSApplication | ApplicationCreateParams.BrowserSSHApplication | ApplicationCreateParams.BrowserVncApplication | ApplicationCreateParams.AppLauncherApplication | ApplicationCreateParams.DeviceEnrollmentPermissionsApplication | ApplicationCreateParams.BrowserIsolationPermissionsApplication | ApplicationCreateParams.BookmarkApplication; export declare namespace ApplicationCreateParams { interface SelfHostedApplication { /** * Body param: The primary hostname and path that Access will secure. If the app is * visible in the App Launcher dashboard, this is the domain that will be * displayed. */ domain: string; /** * Body param: The application type. */ type: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: When set to true, users can authenticate to this application using * their WARP session. When set to false this application will always require * direct IdP authentication. This setting always overrides the organization * setting for WARP authentication. */ allow_authenticate_via_warp?: boolean; /** * Body param: The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Body param: Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; /** * Body param: */ cors_headers?: ApplicationCreateParams.SelfHostedApplication.CorsHeaders; /** * Body param: The custom error message shown to a user when they are denied access * to the application. */ custom_deny_message?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing identity-based rules. */ custom_deny_url?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * Body param: The custom pages that will be displayed when applicable for this * application */ custom_pages?: Array<string>; /** * Body param: Enables the binding cookie, which increases security against * compromised authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Body param: Enables the HttpOnly cookie attribute, which increases security * against XSS attacks. */ http_only_cookie_attribute?: boolean; /** * Body param: The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * Body param: The name of the application. */ name?: string; /** * Body param: Enables cookie paths to scope an application's JWT to the * application path. If disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Body param: Sets the SameSite cookie setting, which provides increased security * against CSRF attacks. */ same_site_cookie_attribute?: string; /** * Body param: List of domains that Access will secure. */ self_hosted_domains?: Array<string>; /** * Body param: Returns a 401 status code when the request is blocked by a Service * Auth policy. */ service_auth_401_redirect?: boolean; /** * Body param: The amount of time that tokens issued for this application will be * valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us * (or µs), ms, s, m, h. */ session_duration?: string; /** * Body param: Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * Body param: The tags you want assigned to an application. Tags are used to * filter applications in the App Launcher dashboard. */ tags?: Array<string>; } namespace SelfHostedApplication { interface CorsHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<string>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'>; /** * Allowed origins. */ allowed_origins?: Array<string>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface SaaSApplication { /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Body param: Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; /** * Body param: The custom pages that will be displayed when applicable for this * application */ custom_pages?: Array<string>; /** * Body param: The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * Body param: The name of the application. */ name?: string; /** * Body param: */ saas_app?: ApplicationCreateParams.SaaSApplication.AccessSamlSaasApp | ApplicationCreateParams.SaaSApplication.AccessOidcSaasApp; /** * Body param: The tags you want assigned to an application. Tags are used to * filter applications in the App Launcher dashboard. */ tags?: Array<string>; /** * Body param: The application type. */ type?: string; } namespace SaaSApplication { interface AccessSamlSaasApp { /** * Optional identifier indicating the authentication protocol used for the saas * app. Required for OIDC. Default if unset is "saml" */ auth_type?: 'saml' | 'oidc'; /** * The service provider's endpoint that is responsible for receiving and parsing a * SAML assertion. */ consumer_service_url?: string; custom_attributes?: AccessSamlSaasApp.CustomAttributes; /** * The URL that the user will be redirected to after a successful login for IDP * initiated logins. */ default_relay_state?: string; /** * The unique identifier for your SaaS application. */ idp_entity_id?: string; /** * The format of the name identifier sent to the SaaS application. */ name_id_format?: 'id' | 'email'; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's * user identities into a NameID value for its SAML assertion. This expression * should evaluate to a singular string. The output of this expression can override * the `name_id_format` setting. */ name_id_transform_jsonata?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * A [JSONata] (https://jsonata.org/) expression that transforms an application's * user identities into attribute assertions in the SAML response. The expression * can transform id, email, name, and groups values. It can also transform fields * listed in the saml_attributes or oidc_fields of the identity provider used to * authenticate. The output of this expression must be a JSON object. */ saml_attribute_transform_jsonata?: string; /** * A globally unique name for an identity or service provider. */ sp_entity_id?: string; /** * The endpoint where your SaaS application will send login requests. */ sso_endpoint?: string; } namespace AccessSamlSaasApp { interface CustomAttributes { /** * The name of the attribute. */ name?: string; /** * A globally unique name for an identity or service provider. */ name_format?: 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'; source?: CustomAttributes.Source; } namespace CustomAttributes { interface Source { /** * The name of the IdP attribute. */ name?: string; } } } interface AccessOidcSaasApp { /** * The URL where this applications tile redirects users */ app_launcher_url?: string; /** * Identifier of the authentication protocol used for the saas app. Required for * OIDC. */ auth_type?: 'saml' | 'oidc'; /** * The application client id */ client_id?: string; /** * The application client secret, only returned on POST request. */ client_secret?: string; /** * The OIDC flows supported by this application */ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce'>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ group_filter_regex?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID * tokens */ redirect_uris?: Array<string>; /** * Define the user information shared with access */ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>; } } interface BrowserSSHApplication { /** * Body param: The primary hostname and path that Access will secure. If the app is * visible in the App Launcher dashboard, this is the domain that will be * displayed. */ domain: string; /** * Body param: The application type. */ type: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: When set to true, users can authenticate to this application using * their WARP session. When set to false this application will always require * direct IdP authentication. This setting always overrides the organization * setting for WARP authentication. */ allow_authenticate_via_warp?: boolean; /** * Body param: The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<string>; /** * Body param: Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; /** * Body param: */ cors_headers?: ApplicationCreateParams.BrowserSSHApplication.CorsHeaders; /** * Body param: The custom error message shown to a user when they are denied access * to the application. */ custom_deny_message?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing identity-based rules. */ custom_deny_url?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * Body param: The custom pages that will be displayed when applicable for this * application */ custom_pages?: Array<string>; /** * Body param: Enables the binding cookie, which increases security against * compromised authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Body param: Enables the HttpOnly cookie attribute, which increases security * against XSS attacks. */ http_only_cookie_attribute?: boolean; /** * Body param: The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * Body param: The name of the application. */ name?: string; /** * Body param: Enables cookie paths to scope an application's JWT to the * application path. If disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Body param: Sets the SameSite cookie setting, which provides increased security * against CSRF attacks. */ same_site_cookie_attribute?: string; /** * Body param: List of domains that Access will secure. */ self_hosted_domains?: Array<string>; /** * Body param: Returns a 401 status code when the request is blocked by a Service * Auth policy. */ service_auth_401_redirect?: boolean; /** * Body param: The amount of time that tokens issued for this application will be * valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us * (or µs), ms, s, m, h. */ session_duration?: string; /** * Body param: Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * Body param: The tags you want assigned to an application. Tags are used to * filter applications in the App Launcher dashboard. */ tags?: Array<string>; } namespace BrowserSSHApplication { interface CorsHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<string>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'>; /** * Allowed origins. */ allowed_origins?: Array<string>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface BrowserVncApplication { /** * Body param: The primary hostname and path that Access will secure. If the app is * visible in the App Launcher dashboard, this is the domain that will be * displayed. */ domain: string; /** * Body param: The application type. */ type: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclu