cloudflare

import * as Core from 'cloudflare/core'; import { APIResource } from 'cloudflare/resource'; import * as ApplicationsAPI from 'cloudflare/resources/zero-trust/access/applications/applications'; import * as CAsAPI from 'cloudflare/resources/zero-trust/access/applications/cas'; import * as PoliciesAPI from 'cloudflare/resources/zero-trust/access/applications/policies'; import * as UserPolicyChecksAPI from 'cloudflare/resources/zero-trust/access/applications/user-policy-checks'; import { SinglePage } from 'cloudflare/pagination'; export declare class Applications extends APIResource { cas: CAsAPI.CAs; userPolicyChecks: UserPolicyChecksAPI.UserPolicyChecks; policies: PoliciesAPI.Policies; /** * Adds a new application to Access. */ create(params: ApplicationCreateParams, options?: Core.RequestOptions): Core.APIPromise<Application>; /** * Updates an Access application. */ update(appId: AppID, params: ApplicationUpdateParams, options?: Core.RequestOptions): Core.APIPromise<Application>; /** * Lists all Access applications in an account or zone. */ list(params?: ApplicationListParams, options?: Core.RequestOptions): Core.PagePromise<ApplicationsSinglePage, Application>; list(options?: Core.RequestOptions): Core.PagePromise<ApplicationsSinglePage, Application>; /** * Deletes an application from Access. */ delete(appId: AppID, params?: ApplicationDeleteParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationDeleteResponse>; delete(appId: AppID, options?: Core.RequestOptions): Core.APIPromise<ApplicationDeleteResponse>; /** * Fetches information about an Access application. */ get(appId: AppID, params?: ApplicationGetParams, options?: Core.RequestOptions): Core.APIPromise<Application>; get(appId: AppID, options?: Core.RequestOptions): Core.APIPromise<Application>; /** * Revokes all tokens issued for an application. */ revokeTokens(appId: AppID, params?: ApplicationRevokeTokensParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationRevokeTokensResponse | null>; revokeTokens(appId: AppID, options?: Core.RequestOptions): Core.APIPromise<ApplicationRevokeTokensResponse | null>; } export declare class ApplicationsSinglePage extends SinglePage<Application> { } export type AllowedHeadersh = string; /** * The identity providers selected for application. */ export type AllowedIdpsh = string; export type AllowedMethodsh = 'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'; export type AllowedOriginsh = string; /** * Identifier */ export type AppID = string | string; export type Application = Application.SelfHostedApplication | Application.SaaSApplication | Application.BrowserSSHApplication | Application.BrowserVncApplication | Application.AppLauncherApplication | Application.DeviceEnrollmentPermissionsApplication | Application.BrowserIsolationPermissionsApplication | Application.BookmarkApplication; export declare namespace Application { interface SelfHostedApplication { /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * When set to true, users can authenticate to this application using their WARP * session. When set to false this application will always require direct IdP * authentication. This setting always overrides the organization setting for WARP * authentication. */ allow_authenticate_via_warp?: boolean; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdpsh>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: ApplicationsAPI.CORSHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing identity-based rules. */ custom_deny_url?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<ApplicationsAPI.CustomPagesh>; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Allows options preflight requests to bypass Access authentication and go * directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Enables cookie paths to scope an application's JWT to the application path. If * disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * List of domains that Access will secure. */ self_hosted_domains?: Array<ApplicationsAPI.SelfHostedDomainsh>; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; updated_at?: string; } interface SaaSApplication { /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdpsh>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<ApplicationsAPI.CustomPagesh>; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; saas_app?: ApplicationsAPI.SAMLSaaSApp | SaaSApplication.AccessOIDCSaaSApp; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; /** * The application type. */ type?: string; updated_at?: string; } namespace SaaSApplication { interface AccessOIDCSaaSApp { /** * The URL where this applications tile redirects users */ app_launcher_url?: string; /** * Identifier of the authentication protocol used for the saas app. Required for * OIDC. */ auth_type?: 'saml' | 'oidc'; /** * The application client id */ client_id?: string; /** * The application client secret, only returned on POST request. */ client_secret?: string; created_at?: string; custom_claims?: AccessOIDCSaaSApp.CustomClaims; /** * The OIDC flows supported by this application */ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce'>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ group_filter_regex?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID * tokens */ redirect_uris?: Array<string>; /** * Define the user information shared with access */ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>; updated_at?: string; } namespace AccessOIDCSaaSApp { interface CustomClaims { /** * The name of the claim. */ name?: string; /** * A mapping from IdP ID to claim name. */ name_by_idp?: Record<string, string>; /** * If the claim is required when building an OIDC token. */ required?: boolean; /** * The scope of the claim. */ scope?: 'groups' | 'profile' | 'email' | 'openid'; source?: CustomClaims.Source; } namespace CustomClaims { interface Source { /** * The name of the IdP claim. */ name?: string; } } } } interface BrowserSSHApplication { /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * When set to true, users can authenticate to this application using their WARP * session. When set to false this application will always require direct IdP * authentication. This setting always overrides the organization setting for WARP * authentication. */ allow_authenticate_via_warp?: boolean; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdpsh>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: ApplicationsAPI.CORSHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing identity-based rules. */ custom_deny_url?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<ApplicationsAPI.CustomPagesh>; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Allows options preflight requests to bypass Access authentication and go * directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Enables cookie paths to scope an application's JWT to the application path. If * disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * List of domains that Access will secure. */ self_hosted_domains?: Array<ApplicationsAPI.SelfHostedDomainsh>; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; updated_at?: string; } interface BrowserVncApplication { /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * When set to true, users can authenticate to this application using their WARP * session. When set to false this application will always require direct IdP * authentication. This setting always overrides the organization setting for WARP * authentication. */ allow_authenticate_via_warp?: boolean; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdpsh>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: ApplicationsAPI.CORSHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing identity-based rules. */ custom_deny_url?: string; /** * The custom URL a user is redirected to when they are denied access to the * application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * The custom pages that will be displayed when applicable for this application */ custom_pages?: Array<ApplicationsAPI.CustomPagesh>; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Allows options preflight requests to bypass Access authentication and go * directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Enables cookie paths to scope an application's JWT to the application path. If * disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * List of domains that Access will secure. */ self_hosted_domains?: Array<ApplicationsAPI.SelfHostedDomainsh>; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; updated_at?: string; } interface AppLauncherApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdpsh>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain?: string; /** * The name of the application. */ name?: string; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface DeviceEnrollmentPermissionsApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdpsh>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain?: string; /** * The name of the application. */ name?: string; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface BrowserIsolationPermissionsApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdpsh>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The primary hostname and path that Access will secure. If the app is visible in * the App Launcher dashboard, this is the domain that will be displayed. */ domain?: string; /** * The name of the application. */ name?: string; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface BookmarkApplication { /** * UUID */ id?: string; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; created_at?: string; /** * The URL or domain of the bookmark. */ domain?: string; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * The tags you want assigned to an application. Tags are used to filter * applications in the App Launcher dashboard. */ tags?: Array<string>; /** * The application type. */ type?: string; updated_at?: string; } } export interface CORSHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<AllowedHeadersh>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<AllowedMethodsh>; /** * Allowed origins. */ allowed_origins?: Array<AllowedOriginsh>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } /** * The custom pages selected for application. */ export type CustomPagesh = string; /** * A globally unique name for an identity or service provider. */ export type SaaSAppNameFormat = 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'; /** * The format of the name identifier sent to the SaaS application. */ export type SaaSAppNameIDFormat = 'id' | 'email'; export interface SaaSAppSource { /** * The name of the IdP attribute. */ name?: string; /** * A mapping from IdP ID to attribute name. */ name_by_idp?: Record<string, string>; } export interface SAMLSaaSApp { /** * Optional identifier indicating the authentication protocol used for the saas * app. Required for OIDC. Default if unset is "saml" */ auth_type?: 'saml' | 'oidc'; /** * The service provider's endpoint that is responsible for receiving and parsing a * SAML assertion. */ consumer_service_url?: string; created_at?: string; custom_attributes?: SAMLSaaSApp.CustomAttributes; /** * The URL that the user will be redirected to after a successful login for IDP * initiated logins. */ default_relay_state?: string; /** * The unique identifier for your SaaS application. */ idp_entity_id?: string; /** * The format of the name identifier sent to the SaaS application. */ name_id_format?: SaaSAppNameIDFormat; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's * user identities into a NameID value for its SAML assertion. This expression * should evaluate to a singular string. The output of this expression can override * the `name_id_format` setting. */ name_id_transform_jsonata?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * A [JSONata] (https://jsonata.org/) expression that transforms an application's * user identities into attribute assertions in the SAML response. The expression * can transform id, email, name, and groups values. It can also transform fields * listed in the saml_attributes or oidc_fields of the identity provider used to * authenticate. The output of this expression must be a JSON object. */ saml_attribute_transform_jsonata?: string; /** * A globally unique name for an identity or service provider. */ sp_entity_id?: string; /** * The endpoint where your SaaS application will send login requests. */ sso_endpoint?: string; updated_at?: string; } export declare namespace SAMLSaaSApp { interface CustomAttributes { /** * The SAML FriendlyName of the attribute. */ friendly_name?: string; /** * The name of the attribute. */ name?: string; /** * A globally unique name for an identity or service provider. */ name_format?: ApplicationsAPI.SaaSAppNameFormat; /** * If the attribute is required when building a SAML assertion. */ required?: boolean; source?: ApplicationsAPI.SaaSAppSource; } } /** * A domain that Access will secure. */ export type SelfHostedDomainsh = string; export interface ApplicationDeleteResponse { /** * UUID */ id?: string; } export type ApplicationRevokeTokensResponse = unknown; export type ApplicationCreateParams = ApplicationCreateParams.SelfHostedApplication | ApplicationCreateParams.SaaSApplication | ApplicationCreateParams.BrowserSSHApplication | ApplicationCreateParams.BrowserVncApplication | ApplicationCreateParams.AppLauncherApplication | ApplicationCreateParams.DeviceEnrollmentPermissionsApplication | ApplicationCreateParams.BrowserIsolationPermissionsApplication | ApplicationCreateParams.BookmarkApplication; export declare namespace ApplicationCreateParams { interface SelfHostedApplication { /** * Body param: The primary hostname and path that Access will secure. If the app is * visible in the App Launcher dashboard, this is the domain that will be * displayed. */ domain: string; /** * Body param: The application type. */ type: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: When set to true, users can authenticate to this application using * their WARP session. When set to false this application will always require * direct IdP authentication. This setting always overrides the organization * setting for WARP authentication. */ allow_authenticate_via_warp?: boolean; /** * Body param: The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<AllowedIdpsh>; /** * Body param: Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; /** * Body param: */ cors_headers?: CORSHeaders; /** * Body param: The custom error message shown to a user when they are denied access * to the application. */ custom_deny_message?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing identity-based rules. */ custom_deny_url?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * Body param: The custom pages that will be displayed when applicable for this * application */ custom_pages?: Array<CustomPagesh>; /** * Body param: Enables the binding cookie, which increases security against * compromised authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Body param: Enables the HttpOnly cookie attribute, which increases security * against XSS attacks. */ http_only_cookie_attribute?: boolean; /** * Body param: The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * Body param: The name of the application. */ name?: string; /** * Body param: Allows options preflight requests to bypass Access authentication * and go directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Body param: Enables cookie paths to scope an application's JWT to the * application path. If disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Body param: Sets the SameSite cookie setting, which provides increased security * against CSRF attacks. */ same_site_cookie_attribute?: string; /** * Body param: List of domains that Access will secure. */ self_hosted_domains?: Array<SelfHostedDomainsh>; /** * Body param: Returns a 401 status code when the request is blocked by a Service * Auth policy. */ service_auth_401_redirect?: boolean; /** * Body param: The amount of time that tokens issued for this application will be * valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us * (or µs), ms, s, m, h. */ session_duration?: string; /** * Body param: Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * Body param: The tags you want assigned to an application. Tags are used to * filter applications in the App Launcher dashboard. */ tags?: Array<string>; } interface SaaSApplication { /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<AllowedIdpsh>; /** * Body param: Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; /** * Body param: The custom pages that will be displayed when applicable for this * application */ custom_pages?: Array<CustomPagesh>; /** * Body param: The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * Body param: The name of the application. */ name?: string; /** * Body param: */ saas_app?: SAMLSaaSApp | ApplicationCreateParams.SaaSApplication.AccessOIDCSaaSApp; /** * Body param: The tags you want assigned to an application. Tags are used to * filter applications in the App Launcher dashboard. */ tags?: Array<string>; /** * Body param: The application type. */ type?: string; } namespace SaaSApplication { interface AccessOIDCSaaSApp { /** * The URL where this applications tile redirects users */ app_launcher_url?: string; /** * Identifier of the authentication protocol used for the saas app. Required for * OIDC. */ auth_type?: 'saml' | 'oidc'; /** * The application client id */ client_id?: string; /** * The application client secret, only returned on POST request. */ client_secret?: string; custom_claims?: AccessOIDCSaaSApp.CustomClaims; /** * The OIDC flows supported by this application */ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce'>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ group_filter_regex?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID * tokens */ redirect_uris?: Array<string>; /** * Define the user information shared with access */ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>; } namespace AccessOIDCSaaSApp { interface CustomClaims { /** * The name of the claim. */ name?: string; /** * A mapping from IdP ID to claim name. */ name_by_idp?: Record<string, string>; /** * If the claim is required when building an OIDC token. */ required?: boolean; /** * The scope of the claim. */ scope?: 'groups' | 'profile' | 'email' | 'openid'; source?: CustomClaims.Source; } namespace CustomClaims { interface Source { /** * The name of the IdP claim. */ name?: string; } } } } interface BrowserSSHApplication { /** * Body param: The primary hostname and path that Access will secure. If the app is * visible in the App Launcher dashboard, this is the domain that will be * displayed. */ domain: string; /** * Body param: The application type. */ type: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: When set to true, users can authenticate to this application using * their WARP session. When set to false this application will always require * direct IdP authentication. This setting always overrides the organization * setting for WARP authentication. */ allow_authenticate_via_warp?: boolean; /** * Body param: The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<AllowedIdpsh>; /** * Body param: Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; /** * Body param: */ cors_headers?: CORSHeaders; /** * Body param: The custom error message shown to a user when they are denied access * to the application. */ custom_deny_message?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing identity-based rules. */ custom_deny_url?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * Body param: The custom pages that will be displayed when applicable for this * application */ custom_pages?: Array<CustomPagesh>; /** * Body param: Enables the binding cookie, which increases security against * compromised authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Body param: Enables the HttpOnly cookie attribute, which increases security * against XSS attacks. */ http_only_cookie_attribute?: boolean; /** * Body param: The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * Body param: The name of the application. */ name?: string; /** * Body param: Allows options preflight requests to bypass Access authentication * and go directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Body param: Enables cookie paths to scope an application's JWT to the * application path. If disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Body param: Sets the SameSite cookie setting, which provides increased security * against CSRF attacks. */ same_site_cookie_attribute?: string; /** * Body param: List of domains that Access will secure. */ self_hosted_domains?: Array<SelfHostedDomainsh>; /** * Body param: Returns a 401 status code when the request is blocked by a Service * Auth policy. */ service_auth_401_redirect?: boolean; /** * Body param: The amount of time that tokens issued for this application will be * valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us * (or µs), ms, s, m, h. */ session_duration?: string; /** * Body param: Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * Body param: The tags you want assigned to an application. Tags are used to * filter applications in the App Launcher dashboard. */ tags?: Array<string>; } interface BrowserVncApplication { /** * Body param: The primary hostname and path that Access will secure. If the app is * visible in the App Launcher dashboard, this is the domain that will be * displayed. */ domain: string; /** * Body param: The application type. */ type: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: When set to true, users can authenticate to this application using * their WARP session. When set to false this application will always require * direct IdP authentication. This setting always overrides the organization * setting for WARP authentication. */ allow_authenticate_via_warp?: boolean; /** * Body param: The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<AllowedIdpsh>; /** * Body param: Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; /** * Body param: */ cors_headers?: CORSHeaders; /** * Body param: The custom error message shown to a user when they are denied access * to the application. */ custom_deny_message?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing identity-based rules. */ custom_deny_url?: string; /** * Body param: The custom URL a user is redirected to when they are denied access * to the application when failing non-identity rules. */ custom_non_identity_deny_url?: string; /** * Body param: The custom pages that will be displayed when applicable for this * application */ custom_pages?: Array<CustomPagesh>; /** * Body param: Enables the binding cookie, which increases security against * compromised authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Body param: Enables the HttpOnly cookie attribute, which increases security * against XSS attacks. */ http_only_cookie_attribute?: boolean; /** * Body param: The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * Body param: The name of the application. */ name?: string; /** * Body param: Allows options preflight requests to bypass Access authentication * and go directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Body param: Enables cookie paths to scope an application's JWT to the * application path. If disabled, the JWT will scope to the hostname by default */ path_cookie_attribute?: boolean; /** * Body param: Sets the SameSite cookie setting, which provides increased security * against CSRF attacks. */ same_site_cookie_attribute?: string; /** * Body param: List of domains that Access will secure. */ self_hosted_domains?: Array<SelfHostedDomainsh>; /** * Body param: Returns a 401 status code when the request is blocked by a Service * Auth policy. */ service_auth_401_redirect?: boolean; /** * Body param: The amount of time that tokens issued for this application will be * valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us * (or µs), ms, s, m, h. */ session_duration?: string; /** * Body param: Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; /** * Body param: The tags you want assigned to an application. Tags are used to * filter applications in the App Launcher dashboard. */ tags?: Array<string>; } interface AppLauncherApplication { /** * Body param: The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID.