cloudflare

import { APIResource } from "../../../../resource.js"; import * as Core from "../../../../core.js"; import * as ApplicationsAPI from "./applications.js"; import * as PoliciesAPI from "../policies.js"; import * as CAsAPI from "./cas.js"; import { CA, CACreateParams, CADeleteParams, CADeleteResponse, CAGetParams, CAListParams, CAs, CAsSinglePage } from "./cas.js"; import * as ApplicationsPoliciesAPI from "./policies.js"; import { AccessDevicePostureRule, AccessRule, AnyValidServiceTokenRule, AuthenticationMethodRule, AzureGroupRule, CertificateRule, CountryRule, DomainRule, EmailListRule, EmailRule, EveryoneRule, ExternalEvaluationRule, GSuiteGroupRule, GitHubOrganizationRule, GroupRule, IPListRule, IPRule, OktaGroupRule, Policies, PolicyCreateParams, PolicyCreateResponse, PolicyDeleteParams, PolicyDeleteResponse, PolicyGetParams, PolicyGetResponse, PolicyListParams, PolicyListResponse, PolicyListResponsesSinglePage, PolicyUpdateParams, PolicyUpdateResponse, SAMLGroupRule, ServiceTokenRule } from "./policies.js"; import * as UserPolicyChecksAPI from "./user-policy-checks.js"; import { UserPolicyCheckGeo, UserPolicyCheckListParams, UserPolicyCheckListResponse, UserPolicyChecks } from "./user-policy-checks.js"; import * as PolicyTestsAPI from "./policy-tests/policy-tests.js"; import { PolicyTestCreateParams, PolicyTestCreateResponse, PolicyTestGetParams, PolicyTestGetResponse, PolicyTests } from "./policy-tests/policy-tests.js"; import { SinglePage } from "../../../../pagination.js"; export declare class Applications extends APIResource { cas: CAsAPI.CAs; userPolicyChecks: UserPolicyChecksAPI.UserPolicyChecks; policies: ApplicationsPoliciesAPI.Policies; policyTests: PolicyTestsAPI.PolicyTests; /** * Adds a new application to Access. */ create(params: ApplicationCreateParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationCreateResponse>; /** * Updates an Access application. */ update(appId: AppIDParam, params: ApplicationUpdateParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationUpdateResponse>; /** * Lists all Access applications in an account or zone. */ list(params?: ApplicationListParams, options?: Core.RequestOptions): Core.PagePromise<ApplicationListResponsesSinglePage, ApplicationListResponse>; list(options?: Core.RequestOptions): Core.PagePromise<ApplicationListResponsesSinglePage, ApplicationListResponse>; /** * Deletes an application from Access. */ delete(appId: AppIDParam, params?: ApplicationDeleteParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationDeleteResponse>; delete(appId: AppIDParam, options?: Core.RequestOptions): Core.APIPromise<ApplicationDeleteResponse>; /** * Fetches information about an Access application. */ get(appId: AppIDParam, params?: ApplicationGetParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationGetResponse>; get(appId: AppIDParam, options?: Core.RequestOptions): Core.APIPromise<ApplicationGetResponse>; /** * Revokes all tokens issued for an application. */ revokeTokens(appId: AppIDParam, params?: ApplicationRevokeTokensParams, options?: Core.RequestOptions): Core.APIPromise<ApplicationRevokeTokensResponse | null>; revokeTokens(appId: AppIDParam, options?: Core.RequestOptions): Core.APIPromise<ApplicationRevokeTokensResponse | null>; } export declare class ApplicationListResponsesSinglePage extends SinglePage<ApplicationListResponse> { } export type AllowedHeaders = string; export type AllowedHeadersParam = string; /** * The identity providers selected for application. */ export type AllowedIdPs = string; /** * The identity providers selected for application. */ export type AllowedIdPsParam = string; export type AllowedMethods = 'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'; export type AllowedMethodsParam = 'GET' | 'POST' | 'HEAD' | 'PUT' | 'DELETE' | 'CONNECT' | 'OPTIONS' | 'TRACE' | 'PATCH'; export type AllowedOrigins = string; export type AllowedOriginsParam = string; /** * Identifier */ export type AppID = string; /** * Identifier */ export type AppIDParam = string; export type Application = Application.SelfHostedApplication | Application.SaaSApplication | Application.BrowserSSHApplication | Application.BrowserVNCApplication | Application.AppLauncherApplication | Application.DeviceEnrollmentPermissionsApplication | Application.BrowserIsolationPermissionsApplication | Application.BookmarkApplication; export declare namespace Application { interface SelfHostedApplication { /** * The domain and path that Access will secure. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: SelfHostedApplication.CORSHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application. */ custom_deny_url?: string; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Allows options preflight requests to bypass Access authentication and go * directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; updated_at?: string; } namespace SelfHostedApplication { interface CORSHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<unknown>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<ApplicationsAPI.AllowedMethods>; /** * Allowed origins. */ allowed_origins?: Array<unknown>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface SaaSApplication { /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; saas_app?: SaaSApplication.AccessSchemasSAMLSaaSApp | SaaSApplication.AccessSchemasOIDCSaaSApp; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; /** * The application type. */ type?: string; updated_at?: string; } namespace SaaSApplication { interface AccessSchemasSAMLSaaSApp { /** * Optional identifier indicating the authentication protocol used for the saas * app. Required for OIDC. Default if unset is "saml" */ auth_type?: 'saml' | 'oidc'; /** * The service provider's endpoint that is responsible for receiving and parsing a * SAML assertion. */ consumer_service_url?: string; created_at?: string; custom_attributes?: Array<AccessSchemasSAMLSaaSApp.CustomAttribute>; /** * The unique identifier for your SaaS application. */ idp_entity_id?: string; /** * The format of the name identifier sent to the SaaS application. */ name_id_format?: ApplicationsAPI.SaaSAppNameIDFormat; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's * user identities into a NameID value for its SAML assertion. This expression * should evaluate to a singular string. The output of this expression can override * the `name_id_format` setting. */ name_id_transform_jsonata?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * A globally unique name for an identity or service provider. */ sp_entity_id?: string; /** * The endpoint where your SaaS application will send login requests. */ sso_endpoint?: string; updated_at?: string; } namespace AccessSchemasSAMLSaaSApp { interface CustomAttribute { /** * The SAML FriendlyName of the attribute. */ friendly_name?: string; /** * The name of the attribute. */ name?: string; /** * A globally unique name for an identity or service provider. */ name_format?: 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic' | 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri'; /** * If the attribute is required when building a SAML assertion. */ required?: boolean; source?: CustomAttribute.Source; } namespace CustomAttribute { interface Source { /** * The name of the IdP attribute. */ name?: string; /** * A mapping from IdP ID to attribute name. */ name_by_idp?: Record<string, string>; } } } interface AccessSchemasOIDCSaaSApp { /** * The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must * be greater than or equal to 1m and less than or equal to 24h. */ access_token_lifetime?: string; /** * If client secret should be required on the token endpoint when * authorization_code_with_pkce grant is used. */ allow_pkce_without_client_secret?: boolean; /** * The URL where this applications tile redirects users */ app_launcher_url?: string; /** * Identifier of the authentication protocol used for the saas app. Required for * OIDC. */ auth_type?: 'saml' | 'oidc'; /** * The application client id */ client_id?: string; /** * The application client secret, only returned on POST request. */ client_secret?: string; created_at?: string; custom_claims?: Array<AccessSchemasOIDCSaaSApp.CustomClaim>; /** * The OIDC flows supported by this application */ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens' | 'hybrid' | 'implicit'>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint. */ group_filter_regex?: string; hybrid_and_implicit_options?: AccessSchemasOIDCSaaSApp.HybridAndImplicitOptions; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID * tokens */ redirect_uris?: Array<string>; refresh_token_options?: AccessSchemasOIDCSaaSApp.RefreshTokenOptions; /** * Define the user information shared with access, "offline_access" scope will be * automatically enabled if refresh tokens are enabled */ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>; updated_at?: string; } namespace AccessSchemasOIDCSaaSApp { interface CustomClaim { /** * The name of the claim. */ name?: string; /** * If the claim is required when building an OIDC token. */ required?: boolean; /** * The scope of the claim. */ scope?: 'groups' | 'profile' | 'email' | 'openid'; source?: CustomClaim.Source; } namespace CustomClaim { interface Source { /** * The name of the IdP claim. */ name?: string; /** * A mapping from IdP ID to attribute name. */ name_by_idp?: Array<Source.NameByIdP>; } namespace Source { interface NameByIdP { /** * The UID of the IdP. */ idp_id?: string; /** * The name of the IdP provided attribute. */ source_name?: string; } } } interface HybridAndImplicitOptions { /** * If an Access Token should be returned from the OIDC Authorization endpoint */ return_access_token_from_authorization_endpoint?: boolean; /** * If an ID Token should be returned from the OIDC Authorization endpoint */ return_id_token_from_authorization_endpoint?: boolean; } interface RefreshTokenOptions { /** * How long a refresh token will be valid for after creation. Valid units are * m,h,d. Must be longer than 1m. */ lifetime?: string; } } } interface BrowserSSHApplication { /** * The domain and path that Access will secure. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: BrowserSSHApplication.CORSHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application. */ custom_deny_url?: string; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Allows options preflight requests to bypass Access authentication and go * directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; updated_at?: string; } namespace BrowserSSHApplication { interface CORSHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<unknown>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<ApplicationsAPI.AllowedMethods>; /** * Allowed origins. */ allowed_origins?: Array<unknown>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface BrowserVNCApplication { /** * The domain and path that Access will secure. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>; /** * Displays the application in the App Launcher. */ app_launcher_visible?: boolean; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; cors_headers?: BrowserVNCApplication.CORSHeaders; created_at?: string; /** * The custom error message shown to a user when they are denied access to the * application. */ custom_deny_message?: string; /** * The custom URL a user is redirected to when they are denied access to the * application. */ custom_deny_url?: string; /** * Enables the binding cookie, which increases security against compromised * authorization tokens and CSRF attacks. */ enable_binding_cookie?: boolean; /** * Enables the HttpOnly cookie attribute, which increases security against XSS * attacks. */ http_only_cookie_attribute?: boolean; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Allows options preflight requests to bypass Access authentication and go * directly to the origin. Cannot turn on if cors_headers is set. */ options_preflight_bypass?: boolean; /** * Sets the SameSite cookie setting, which provides increased security against CSRF * attacks. */ same_site_cookie_attribute?: string; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; /** * Returns a 401 status code when the request is blocked by a Service Auth policy. */ service_auth_401_redirect?: boolean; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; /** * Enables automatic authentication through cloudflared. */ skip_interstitial?: boolean; updated_at?: string; } namespace BrowserVNCApplication { interface CORSHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<unknown>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<ApplicationsAPI.AllowedMethods>; /** * Allowed origins. */ allowed_origins?: Array<unknown>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } } interface AppLauncherApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The domain and path that Access will secure. */ domain?: string; /** * The name of the application. */ name?: string; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface DeviceEnrollmentPermissionsApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The domain and path that Access will secure. */ domain?: string; /** * The name of the application. */ name?: string; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface BrowserIsolationPermissionsApplication { /** * The application type. */ type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso'; /** * UUID */ id?: string; /** * The identity providers your users can select when connecting to this * application. Defaults to all IdPs configured in your account. */ allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>; /** * Audience tag. */ aud?: string; /** * When set to `true`, users skip the identity provider selection step during * login. You must specify only one identity provider in allowed_idps. */ auto_redirect_to_identity?: boolean; created_at?: string; /** * The domain and path that Access will secure. */ domain?: string; /** * The name of the application. */ name?: string; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; /** * The amount of time that tokens issued for this application will be valid. Must * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, * s, m, h. */ session_duration?: string; updated_at?: string; } interface BookmarkApplication { /** * The URL or domain of the bookmark. */ domain: string; /** * The application type. */ type: string; /** * UUID */ id?: string; app_launcher_visible?: unknown; /** * Audience tag. */ aud?: string; created_at?: string; /** * The image URL for the logo shown in the App Launcher dashboard. */ logo_url?: string; /** * The name of the application. */ name?: string; /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ scim_config?: ApplicationsAPI.ApplicationSCIMConfig; updated_at?: string; } } export interface ApplicationPolicy { /** * The UUID of the policy */ id?: string; /** * Administrators who can approve a temporary authentication request. */ approval_groups?: Array<PoliciesAPI.ApprovalGroup>; /** * Requires the user to request access from an administrator at the start of each * session. */ approval_required?: boolean; created_at?: string; /** * The action Access will take if a user matches this policy. Infrastructure * application policies can only use the Allow action. */ decision?: Decision; /** * Rules evaluated with a NOT logical operator. To match the policy, a user cannot * meet any of the Exclude rules. */ exclude?: Array<ApplicationsPoliciesAPI.AccessRule>; /** * Rules evaluated with an OR logical operator. A user needs to meet only one of * the Include rules. */ include?: Array<ApplicationsPoliciesAPI.AccessRule>; /** * Require this application to be served in an isolated browser for users matching * this policy. 'Client Web Isolation' must be on for the account in order to use * this feature. */ isolation_required?: boolean; /** * The name of the Access policy. */ name?: string; /** * A custom message that will appear on the purpose justification screen. */ purpose_justification_prompt?: string; /** * Require users to enter a justification when they log in to the application. */ purpose_justification_required?: boolean; /** * Rules evaluated with an AND logical operator. To match the policy, a user must * meet all of the Require rules. */ require?: Array<ApplicationsPoliciesAPI.AccessRule>; /** * The amount of time that tokens issued for the application will be valid. Must be * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, * m, h. */ session_duration?: string; updated_at?: string; } /** * Configuration for provisioning to this application via SCIM. This is currently * in closed beta. */ export interface ApplicationSCIMConfig { /** * The UID of the IdP to use as the source for SCIM resources to provision to this * application. */ idp_uid: string; /** * The base URI for the application's SCIM-compatible API. */ remote_uri: string; /** * Attributes for configuring HTTP Basic authentication scheme for SCIM * provisioning to an application. */ authentication?: SCIMConfigAuthenticationHTTPBasic | ApplicationSCIMConfig.AccessSchemasSCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | ApplicationSCIMConfig.AccessSCIMConfigAuthenticationAccessServiceToken | Array<SCIMConfigAuthenticationHTTPBasic | ApplicationSCIMConfig.AccessSchemasSCIMConfigAuthenticationOAuthBearerToken | SCIMConfigAuthenticationOauth2 | ApplicationSCIMConfig.AccessSCIMConfigAuthenticationAccessServiceToken>; /** * If false, we propagate DELETE requests to the target application for SCIM * resources. If true, we only set `active` to false on the SCIM resource. This is * useful because some targets do not support DELETE operations. */ deactivate_on_delete?: boolean; /** * Whether SCIM provisioning is turned on for this application. */ enabled?: boolean; /** * A list of mappings to apply to SCIM resources before provisioning them in this * application. These can transform or filter the resources to be provisioned. */ mappings?: Array<SCIMConfigMapping>; } export declare namespace ApplicationSCIMConfig { /** * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM * provisioning to an application. */ interface AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { /** * Token used to authenticate with the remote SCIM service. */ token: string; /** * The authentication scheme to use when making SCIM requests to this application. */ scheme: 'oauthbearertoken'; } /** * Attributes for configuring Access Service Token authentication scheme for SCIM * provisioning to an application. */ interface AccessSCIMConfigAuthenticationAccessServiceToken { /** * Client ID of the Access service token used to authenticate with the remote * service. */ client_id: string; /** * Client secret of the Access service token used to authenticate with the remote * service. */ client_secret: string; /** * The authentication scheme to use when making SCIM requests to this application. */ scheme: 'access_service_token'; } /** * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM * provisioning to an application. */ interface AccessSchemasSCIMConfigAuthenticationOAuthBearerToken { /** * Token used to authenticate with the remote SCIM service. */ token: string; /** * The authentication scheme to use when making SCIM requests to this application. */ scheme: 'oauthbearertoken'; } /** * Attributes for configuring Access Service Token authentication scheme for SCIM * provisioning to an application. */ interface AccessSCIMConfigAuthenticationAccessServiceToken { /** * Client ID of the Access service token used to authenticate with the remote * service. */ client_id: string; /** * Client secret of the Access service token used to authenticate with the remote * service. */ client_secret: string; /** * The authentication scheme to use when making SCIM requests to this application. */ scheme: 'access_service_token'; } } /** * The application type. */ export type ApplicationType = 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso' | 'infrastructure' | 'rdp'; /** * The application type. */ export type ApplicationTypeParam = 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso' | 'infrastructure' | 'rdp'; export interface CORSHeaders { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<AllowedHeaders>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<AllowedMethods>; /** * Allowed origins. */ allowed_origins?: Array<AllowedOrigins>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } export interface CORSHeadersParam { /** * Allows all HTTP request headers. */ allow_all_headers?: boolean; /** * Allows all HTTP request methods. */ allow_all_methods?: boolean; /** * Allows all origins. */ allow_all_origins?: boolean; /** * When set to `true`, includes credentials (cookies, authorization headers, or TLS * client certificates) with requests. */ allow_credentials?: boolean; /** * Allowed HTTP request headers. */ allowed_headers?: Array<AllowedHeadersParam>; /** * Allowed HTTP request methods. */ allowed_methods?: Array<AllowedMethodsParam>; /** * Allowed origins. */ allowed_origins?: Array<AllowedOriginsParam>; /** * The maximum number of seconds the results of a preflight request can be cached. */ max_age?: number; } /** * The action Access will take if a user matches this policy. Infrastructure * application policies can only use the Allow action. */ export type Decision = 'allow' | 'deny' | 'non_identity' | 'bypass'; /** * The action Access will take if a user matches this policy. Infrastructure * application policies can only use the Allow action. */ export type DecisionParam = 'allow' | 'deny' | 'non_identity' | 'bypass'; export interface OIDCSaaSApp { /** * The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must * be greater than or equal to 1m and less than or equal to 24h. */ access_token_lifetime?: string; /** * If client secret should be required on the token endpoint when * authorization_code_with_pkce grant is used. */ allow_pkce_without_client_secret?: boolean; /** * The URL where this applications tile redirects users */ app_launcher_url?: string; /** * Identifier of the authentication protocol used for the saas app. Required for * OIDC. */ auth_type?: 'saml' | 'oidc'; /** * The application client id */ client_id?: string; /** * The application client secret, only returned on POST request. */ client_secret?: string; created_at?: string; custom_claims?: Array<OIDCSaaSApp.CustomClaim>; /** * The OIDC flows supported by this application */ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens' | 'hybrid' | 'implicit'>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ group_filter_regex?: string; hybrid_and_implicit_options?: OIDCSaaSApp.HybridAndImplicitOptions; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID * tokens */ redirect_uris?: Array<string>; refresh_token_options?: OIDCSaaSApp.RefreshTokenOptions; /** * Define the user information shared with access, "offline_access" scope will be * automatically enabled if refresh tokens are enabled */ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>; updated_at?: string; } export declare namespace OIDCSaaSApp { interface CustomClaim { /** * The name of the claim. */ name?: string; /** * If the claim is required when building an OIDC token. */ required?: boolean; /** * The scope of the claim. */ scope?: 'groups' | 'profile' | 'email' | 'openid'; source?: CustomClaim.Source; } namespace CustomClaim { interface Source { /** * The name of the IdP claim. */ name?: string; /** * A mapping from IdP ID to claim name. */ name_by_idp?: Record<string, string>; } } interface HybridAndImplicitOptions { /** * If an Access Token should be returned from the OIDC Authorization endpoint */ return_access_token_from_authorization_endpoint?: boolean; /** * If an ID Token should be returned from the OIDC Authorization endpoint */ return_id_token_from_authorization_endpoint?: boolean; } interface RefreshTokenOptions { /** * How long a refresh token will be valid for after creation. Valid units are * m,h,d. Must be longer than 1m. */ lifetime?: string; } } export interface OIDCSaaSAppParam { /** * The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must * be greater than or equal to 1m and less than or equal to 24h. */ access_token_lifetime?: string; /** * If client secret should be required on the token endpoint when * authorization_code_with_pkce grant is used. */ allow_pkce_without_client_secret?: boolean; /** * The URL where this applications tile redirects users */ app_launcher_url?: string; /** * Identifier of the authentication protocol used for the saas app. Required for * OIDC. */ auth_type?: 'saml' | 'oidc'; /** * The application client id */ client_id?: string; /** * The application client secret, only returned on POST request. */ client_secret?: string; custom_claims?: Array<OIDCSaaSAppParam.CustomClaim>; /** * The OIDC flows supported by this application */ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens' | 'hybrid' | 'implicit'>; /** * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint */ group_filter_regex?: string; hybrid_and_implicit_options?: OIDCSaaSAppParam.HybridAndImplicitOptions; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * The permitted URL's for Cloudflare to return Authorization codes and Access/ID * tokens */ redirect_uris?: Array<string>; refresh_token_options?: OIDCSaaSAppParam.RefreshTokenOptions; /** * Define the user information shared with access, "offline_access" scope will be * automatically enabled if refresh tokens are enabled */ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>; } export declare namespace OIDCSaaSAppParam { interface CustomClaim { /** * The name of the claim. */ name?: string; /** * If the claim is required when building an OIDC token. */ required?: boolean; /** * The scope of the claim. */ scope?: 'groups' | 'profile' | 'email' | 'openid'; source?: CustomClaim.Source; } namespace CustomClaim { interface Source { /** * The name of the IdP claim. */ name?: string; /** * A mapping from IdP ID to claim name. */ name_by_idp?: Record<string, string>; } } interface HybridAndImplicitOptions { /** * If an Access Token should be returned from the OIDC Authorization endpoint */ return_access_token_from_authorization_endpoint?: boolean; /** * If an ID Token should be returned from the OIDC Authorization endpoint */ return_id_token_from_authorization_endpoint?: boolean; } interface RefreshTokenOptions { /** * How long a refresh token will be valid for after creation. Valid units are * m,h,d. Must be longer than 1m. */ lifetime?: string; } } /** * The format of the name identifier sent to the SaaS application. */ export type SaaSAppNameIDFormat = 'id' | 'email'; /** * The format of the name identifier sent to the SaaS application. */ export type SaaSAppNameIDFormatParam = 'id' | 'email'; export interface SAMLSaaSApp { /** * Optional identifier indicating the authentication protocol used for the saas * app. Required for OIDC. Default if unset is "saml" */ auth_type?: 'saml' | 'oidc'; /** * The service provider's endpoint that is responsible for receiving and parsing a * SAML assertion. */ consumer_service_url?: string; created_at?: string; custom_attributes?: Array<SAMLSaaSApp.CustomAttribute>; /** * The URL that the user will be redirected to after a successful login for IDP * initiated logins. */ default_relay_state?: string; /** * The unique identifier for your SaaS application. */ idp_entity_id?: string; /** * The format of the name identifier sent to the SaaS application. */ name_id_format?: SaaSAppNameIDFormat; /** * A [JSONata](https://jsonata.org/) expression that transforms an application's * user identities into a NameID value for its SAML assertion. This expression * should evaluate to a singular string. The output of this expression can override * the `name_id_format` setting. */ name_id_transform_jsonata?: string; /** * The Access public certificate that will be used to verify your identity. */ public_key?: string; /** * A [JSONata] (https://jsonata.org/) expression that transforms an application's * user identities into attribute assertions in the SAML response. The expression * can transform id, email, name, and groups values. It can also transform fields * listed in the saml_attributes or oidc_fields of the identity provider used to * authenticate. The output of this expression must be a JSON object. */ saml_attribute_transform_jsonata?: string; /** * A globally unique name for an identity or service provider. */ sp_entity_id?: string; /** * The endpoint where your SaaS application will send login requests. */ sso_endpoint?: string; updated_at?: string; } export declare namespace SAMLSaaSApp { interface CustomAttribute { /** * The SAML FriendlyName of the attribute. */ friendly_name?: string; /** * The name of the attribute. */ name?: string; /** * A globally unique name for an ident