cloudflare
Version:
The official TypeScript library for the Cloudflare API
1,967 lines (1,669 loc) • 534 kB
text/typescript
// File generated from our OpenAPI spec by Stainless. See CONTRIBUTING.md for details.
import { APIResource } from '../../../../resource';
import { isRequestOptions } from '../../../../core';
import * as Core from '../../../../core';
import * as ApplicationsAPI from './applications';
import * as PoliciesAPI from '../policies';
import * as CAsAPI from './cas';
import {
CA,
CACreateParams,
CADeleteParams,
CADeleteResponse,
CAGetParams,
CAListParams,
CAs,
CAsV4PagePaginationArray,
} from './cas';
import * as ApplicationsPoliciesAPI from './policies';
import {
AccessDevicePostureRule,
AccessRule,
AnyValidServiceTokenRule,
AuthenticationMethodRule,
AzureGroupRule,
CertificateRule,
CountryRule,
DomainRule,
EmailListRule,
EmailRule,
EveryoneRule,
ExternalEvaluationRule,
GSuiteGroupRule,
GitHubOrganizationRule,
GroupRule,
IPListRule,
IPRule,
OktaGroupRule,
Policies,
PolicyCreateParams,
PolicyCreateResponse,
PolicyDeleteParams,
PolicyDeleteResponse,
PolicyGetParams,
PolicyGetResponse,
PolicyListParams,
PolicyListResponse,
PolicyListResponsesV4PagePaginationArray,
PolicyUpdateParams,
PolicyUpdateResponse,
SAMLGroupRule,
ServiceTokenRule,
} from './policies';
import * as SettingsAPI from './settings';
import {
SettingEditParams,
SettingEditResponse,
SettingUpdateParams,
SettingUpdateResponse,
Settings,
} from './settings';
import * as UserPolicyChecksAPI from './user-policy-checks';
import {
UserPolicyCheckGeo,
UserPolicyCheckListParams,
UserPolicyCheckListResponse,
UserPolicyChecks,
} from './user-policy-checks';
import * as PolicyTestsAPI from './policy-tests/policy-tests';
import {
PolicyTestCreateParams,
PolicyTestCreateResponse,
PolicyTestGetParams,
PolicyTestGetResponse,
PolicyTests,
} from './policy-tests/policy-tests';
import { CloudflareError } from '../../../../error';
import { V4PagePaginationArray, type V4PagePaginationArrayParams } from '../../../../pagination';
export class Applications extends APIResource {
cas: CAsAPI.CAs = new CAsAPI.CAs(this._client);
userPolicyChecks: UserPolicyChecksAPI.UserPolicyChecks = new UserPolicyChecksAPI.UserPolicyChecks(
this._client,
);
policies: ApplicationsPoliciesAPI.Policies = new ApplicationsPoliciesAPI.Policies(this._client);
policyTests: PolicyTestsAPI.PolicyTests = new PolicyTestsAPI.PolicyTests(this._client);
settings: SettingsAPI.Settings = new SettingsAPI.Settings(this._client);
/**
* Adds a new application to Access.
*
* @example
* ```ts
* const application =
* await client.zeroTrust.access.applications.create({
* domain: 'test.example.com/admin',
* type: 'self_hosted',
* account_id: 'account_id',
* });
* ```
*/
create(
params: ApplicationCreateParams,
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationCreateResponse> {
const { account_id, zone_id, ...body } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
}
if (account_id && zone_id) {
throw new CloudflareError('You cannot provide both account_id and zone_id.');
}
const { accountOrZone, accountOrZoneId } =
account_id ?
{
accountOrZone: 'accounts',
accountOrZoneId: account_id,
}
: {
accountOrZone: 'zones',
accountOrZoneId: zone_id,
};
return (
this._client.post(`/${accountOrZone}/${accountOrZoneId}/access/apps`, {
body,
...options,
}) as Core.APIPromise<{ result: ApplicationCreateResponse }>
)._thenUnwrap((obj) => obj.result);
}
/**
* Updates an Access application.
*
* @example
* ```ts
* const application =
* await client.zeroTrust.access.applications.update(
* '023e105f4ecef8ad9ca31a8372d0c353',
* {
* domain: 'test.example.com/admin',
* type: 'self_hosted',
* account_id: 'account_id',
* },
* );
* ```
*/
update(
appId: AppIDParam,
params: ApplicationUpdateParams,
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationUpdateResponse> {
const { account_id, zone_id, ...body } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
}
if (account_id && zone_id) {
throw new CloudflareError('You cannot provide both account_id and zone_id.');
}
const { accountOrZone, accountOrZoneId } =
account_id ?
{
accountOrZone: 'accounts',
accountOrZoneId: account_id,
}
: {
accountOrZone: 'zones',
accountOrZoneId: zone_id,
};
return (
this._client.put(`/${accountOrZone}/${accountOrZoneId}/access/apps/${appId}`, {
body,
...options,
}) as Core.APIPromise<{ result: ApplicationUpdateResponse }>
)._thenUnwrap((obj) => obj.result);
}
/**
* Lists all Access applications in an account or zone.
*
* @example
* ```ts
* // Automatically fetches more pages as needed.
* for await (const applicationListResponse of client.zeroTrust.access.applications.list(
* { account_id: 'account_id' },
* )) {
* // ...
* }
* ```
*/
list(
params?: ApplicationListParams,
options?: Core.RequestOptions,
): Core.PagePromise<ApplicationListResponsesV4PagePaginationArray, ApplicationListResponse>;
list(
options?: Core.RequestOptions,
): Core.PagePromise<ApplicationListResponsesV4PagePaginationArray, ApplicationListResponse>;
list(
params: ApplicationListParams | Core.RequestOptions = {},
options?: Core.RequestOptions,
): Core.PagePromise<ApplicationListResponsesV4PagePaginationArray, ApplicationListResponse> {
if (isRequestOptions(params)) {
return this.list({}, params);
}
const { account_id, zone_id, ...query } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
}
if (account_id && zone_id) {
throw new CloudflareError('You cannot provide both account_id and zone_id.');
}
const { accountOrZone, accountOrZoneId } =
account_id ?
{
accountOrZone: 'accounts',
accountOrZoneId: account_id,
}
: {
accountOrZone: 'zones',
accountOrZoneId: zone_id,
};
return this._client.getAPIList(
`/${accountOrZone}/${accountOrZoneId}/access/apps`,
ApplicationListResponsesV4PagePaginationArray,
{ query, ...options },
);
}
/**
* Deletes an application from Access.
*
* @example
* ```ts
* const application =
* await client.zeroTrust.access.applications.delete(
* '023e105f4ecef8ad9ca31a8372d0c353',
* { account_id: 'account_id' },
* );
* ```
*/
delete(
appId: AppIDParam,
params?: ApplicationDeleteParams,
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationDeleteResponse>;
delete(appId: AppIDParam, options?: Core.RequestOptions): Core.APIPromise<ApplicationDeleteResponse>;
delete(
appId: AppIDParam,
params: ApplicationDeleteParams | Core.RequestOptions = {},
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationDeleteResponse> {
if (isRequestOptions(params)) {
return this.delete(appId, {}, params);
}
const { account_id, zone_id } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
}
if (account_id && zone_id) {
throw new CloudflareError('You cannot provide both account_id and zone_id.');
}
const { accountOrZone, accountOrZoneId } =
account_id ?
{
accountOrZone: 'accounts',
accountOrZoneId: account_id,
}
: {
accountOrZone: 'zones',
accountOrZoneId: zone_id,
};
return (
this._client.delete(
`/${accountOrZone}/${accountOrZoneId}/access/apps/${appId}`,
options,
) as Core.APIPromise<{ result: ApplicationDeleteResponse }>
)._thenUnwrap((obj) => obj.result);
}
/**
* Fetches information about an Access application.
*
* @example
* ```ts
* const application =
* await client.zeroTrust.access.applications.get(
* '023e105f4ecef8ad9ca31a8372d0c353',
* { account_id: 'account_id' },
* );
* ```
*/
get(
appId: AppIDParam,
params?: ApplicationGetParams,
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationGetResponse>;
get(appId: AppIDParam, options?: Core.RequestOptions): Core.APIPromise<ApplicationGetResponse>;
get(
appId: AppIDParam,
params: ApplicationGetParams | Core.RequestOptions = {},
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationGetResponse> {
if (isRequestOptions(params)) {
return this.get(appId, {}, params);
}
const { account_id, zone_id } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
}
if (account_id && zone_id) {
throw new CloudflareError('You cannot provide both account_id and zone_id.');
}
const { accountOrZone, accountOrZoneId } =
account_id ?
{
accountOrZone: 'accounts',
accountOrZoneId: account_id,
}
: {
accountOrZone: 'zones',
accountOrZoneId: zone_id,
};
return (
this._client.get(
`/${accountOrZone}/${accountOrZoneId}/access/apps/${appId}`,
options,
) as Core.APIPromise<{ result: ApplicationGetResponse }>
)._thenUnwrap((obj) => obj.result);
}
/**
* Revokes all tokens issued for an application.
*
* @example
* ```ts
* const response =
* await client.zeroTrust.access.applications.revokeTokens(
* '023e105f4ecef8ad9ca31a8372d0c353',
* { account_id: 'account_id' },
* );
* ```
*/
revokeTokens(
appId: AppIDParam,
params?: ApplicationRevokeTokensParams,
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationRevokeTokensResponse | null>;
revokeTokens(
appId: AppIDParam,
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationRevokeTokensResponse | null>;
revokeTokens(
appId: AppIDParam,
params: ApplicationRevokeTokensParams | Core.RequestOptions = {},
options?: Core.RequestOptions,
): Core.APIPromise<ApplicationRevokeTokensResponse | null> {
if (isRequestOptions(params)) {
return this.revokeTokens(appId, {}, params);
}
const { account_id, zone_id } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
}
if (account_id && zone_id) {
throw new CloudflareError('You cannot provide both account_id and zone_id.');
}
const { accountOrZone, accountOrZoneId } =
account_id ?
{
accountOrZone: 'accounts',
accountOrZoneId: account_id,
}
: {
accountOrZone: 'zones',
accountOrZoneId: zone_id,
};
return (
this._client.post(
`/${accountOrZone}/${accountOrZoneId}/access/apps/${appId}/revoke_tokens`,
options,
) as Core.APIPromise<{ result: ApplicationRevokeTokensResponse | null }>
)._thenUnwrap((obj) => obj.result);
}
}
export class ApplicationListResponsesV4PagePaginationArray extends V4PagePaginationArray<ApplicationListResponse> {}
export type AllowedHeaders = string;
export type AllowedHeadersParam = string;
/**
* The identity providers selected for application.
*/
export type AllowedIdPs = string;
/**
* The identity providers selected for application.
*/
export type AllowedIdPsParam = string;
export type AllowedMethods =
| 'GET'
| 'POST'
| 'HEAD'
| 'PUT'
| 'DELETE'
| 'CONNECT'
| 'OPTIONS'
| 'TRACE'
| 'PATCH';
export type AllowedMethodsParam =
| 'GET'
| 'POST'
| 'HEAD'
| 'PUT'
| 'DELETE'
| 'CONNECT'
| 'OPTIONS'
| 'TRACE'
| 'PATCH';
export type AllowedOrigins = string;
export type AllowedOriginsParam = string;
/**
* Identifier.
*/
export type AppID = string;
/**
* Identifier.
*/
export type AppIDParam = string;
export type Application =
| Application.SelfHostedApplication
| Application.SaaSApplication
| Application.BrowserSSHApplication
| Application.BrowserVNCApplication
| Application.AppLauncherApplication
| Application.DeviceEnrollmentPermissionsApplication
| Application.BrowserIsolationPermissionsApplication
| Application.BookmarkApplication;
export namespace Application {
export interface SelfHostedApplication {
/**
* The domain and path that Access will secure.
*/
domain: string;
/**
* The application type.
*/
type: string;
/**
* UUID.
*/
id?: string;
/**
* Enables loading application content in an iFrame.
*/
allow_iframe?: boolean;
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
*/
allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>;
/**
* Displays the application in the App Launcher.
*/
app_launcher_visible?: boolean;
/**
* Audience tag.
*/
aud?: string;
/**
* When set to `true`, users skip the identity provider selection step during
* login. You must specify only one identity provider in allowed_idps.
*/
auto_redirect_to_identity?: boolean;
cors_headers?: SelfHostedApplication.CORSHeaders;
created_at?: string;
/**
* The custom error message shown to a user when they are denied access to the
* application.
*/
custom_deny_message?: string;
/**
* The custom URL a user is redirected to when they are denied access to the
* application.
*/
custom_deny_url?: string;
/**
* Enables the binding cookie, which increases security against compromised
* authorization tokens and CSRF attacks.
*/
enable_binding_cookie?: boolean;
/**
* Enables the HttpOnly cookie attribute, which increases security against XSS
* attacks.
*/
http_only_cookie_attribute?: boolean;
/**
* The image URL for the logo shown in the App Launcher dashboard.
*/
logo_url?: string;
/**
* The name of the application.
*/
name?: string;
/**
* Allows options preflight requests to bypass Access authentication and go
* directly to the origin. Cannot turn on if cors_headers is set.
*/
options_preflight_bypass?: boolean;
/**
* Sets the SameSite cookie setting, which provides increased security against CSRF
* attacks.
*/
same_site_cookie_attribute?: string;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
/**
* Returns a 401 status code when the request is blocked by a Service Auth policy.
*/
service_auth_401_redirect?: boolean;
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
* s, m, h.
*/
session_duration?: string;
/**
* Enables automatic authentication through cloudflared.
*/
skip_interstitial?: boolean;
updated_at?: string;
}
export namespace SelfHostedApplication {
export interface CORSHeaders {
/**
* Allows all HTTP request headers.
*/
allow_all_headers?: boolean;
/**
* Allows all HTTP request methods.
*/
allow_all_methods?: boolean;
/**
* Allows all origins.
*/
allow_all_origins?: boolean;
/**
* When set to `true`, includes credentials (cookies, authorization headers, or TLS
* client certificates) with requests.
*/
allow_credentials?: boolean;
/**
* Allowed HTTP request headers.
*/
allowed_headers?: Array<unknown>;
/**
* Allowed HTTP request methods.
*/
allowed_methods?: Array<ApplicationsAPI.AllowedMethods>;
/**
* Allowed origins.
*/
allowed_origins?: Array<unknown>;
/**
* The maximum number of seconds the results of a preflight request can be cached.
*/
max_age?: number;
}
}
export interface SaaSApplication {
/**
* UUID.
*/
id?: string;
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
*/
allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>;
/**
* Displays the application in the App Launcher.
*/
app_launcher_visible?: boolean;
/**
* Audience tag.
*/
aud?: string;
/**
* When set to `true`, users skip the identity provider selection step during
* login. You must specify only one identity provider in allowed_idps.
*/
auto_redirect_to_identity?: boolean;
created_at?: string;
/**
* The image URL for the logo shown in the App Launcher dashboard.
*/
logo_url?: string;
/**
* The name of the application.
*/
name?: string;
saas_app?: SaaSApplication.AccessSchemasSAMLSaaSApp | SaaSApplication.AccessSchemasOIDCSaaSApp;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
/**
* The application type.
*/
type?: string;
updated_at?: string;
}
export namespace SaaSApplication {
export interface AccessSchemasSAMLSaaSApp {
/**
* Optional identifier indicating the authentication protocol used for the saas
* app. Required for OIDC. Default if unset is "saml"
*/
auth_type?: 'saml' | 'oidc';
/**
* The service provider's endpoint that is responsible for receiving and parsing a
* SAML assertion.
*/
consumer_service_url?: string;
created_at?: string;
custom_attributes?: Array<AccessSchemasSAMLSaaSApp.CustomAttribute>;
/**
* The unique identifier for your SaaS application.
*/
idp_entity_id?: string;
/**
* The format of the name identifier sent to the SaaS application.
*/
name_id_format?: ApplicationsAPI.SaaSAppNameIDFormat;
/**
* A [JSONata](https://jsonata.org/) expression that transforms an application's
* user identities into a NameID value for its SAML assertion. This expression
* should evaluate to a singular string. The output of this expression can override
* the `name_id_format` setting.
*/
name_id_transform_jsonata?: string;
/**
* The Access public certificate that will be used to verify your identity.
*/
public_key?: string;
/**
* A globally unique name for an identity or service provider.
*/
sp_entity_id?: string;
/**
* The endpoint where your SaaS application will send login requests.
*/
sso_endpoint?: string;
updated_at?: string;
}
export namespace AccessSchemasSAMLSaaSApp {
export interface CustomAttribute {
/**
* The SAML FriendlyName of the attribute.
*/
friendly_name?: string;
/**
* The name of the attribute.
*/
name?: string;
/**
* A globally unique name for an identity or service provider.
*/
name_format?:
| 'urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified'
| 'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'
| 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri';
/**
* If the attribute is required when building a SAML assertion.
*/
required?: boolean;
source?: CustomAttribute.Source;
}
export namespace CustomAttribute {
export interface Source {
/**
* The name of the IdP attribute.
*/
name?: string;
/**
* A mapping from IdP ID to attribute name.
*/
name_by_idp?: { [key: string]: string };
}
}
}
export interface AccessSchemasOIDCSaaSApp {
/**
* The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must
* be greater than or equal to 1m and less than or equal to 24h.
*/
access_token_lifetime?: string;
/**
* If client secret should be required on the token endpoint when
* authorization_code_with_pkce grant is used.
*/
allow_pkce_without_client_secret?: boolean;
/**
* The URL where this applications tile redirects users
*/
app_launcher_url?: string;
/**
* Identifier of the authentication protocol used for the saas app. Required for
* OIDC.
*/
auth_type?: 'saml' | 'oidc';
/**
* The application client id
*/
client_id?: string;
/**
* The application client secret, only returned on POST request.
*/
client_secret?: string;
created_at?: string;
custom_claims?: Array<AccessSchemasOIDCSaaSApp.CustomClaim>;
/**
* The OIDC flows supported by this application
*/
grant_types?: Array<
'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens' | 'hybrid' | 'implicit'
>;
/**
* A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.
*/
group_filter_regex?: string;
hybrid_and_implicit_options?: AccessSchemasOIDCSaaSApp.HybridAndImplicitOptions;
/**
* The Access public certificate that will be used to verify your identity.
*/
public_key?: string;
/**
* The permitted URL's for Cloudflare to return Authorization codes and Access/ID
* tokens
*/
redirect_uris?: Array<string>;
refresh_token_options?: AccessSchemasOIDCSaaSApp.RefreshTokenOptions;
/**
* Define the user information shared with access, "offline_access" scope will be
* automatically enabled if refresh tokens are enabled
*/
scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>;
updated_at?: string;
}
export namespace AccessSchemasOIDCSaaSApp {
export interface CustomClaim {
/**
* The name of the claim.
*/
name?: string;
/**
* If the claim is required when building an OIDC token.
*/
required?: boolean;
/**
* The scope of the claim.
*/
scope?: 'groups' | 'profile' | 'email' | 'openid';
source?: CustomClaim.Source;
}
export namespace CustomClaim {
export interface Source {
/**
* The name of the IdP claim.
*/
name?: string;
/**
* A mapping from IdP ID to attribute name.
*/
name_by_idp?: Array<Source.NameByIdP>;
}
export namespace Source {
export interface NameByIdP {
/**
* The UID of the IdP.
*/
idp_id?: string;
/**
* The name of the IdP provided attribute.
*/
source_name?: string;
}
}
}
export interface HybridAndImplicitOptions {
/**
* If an Access Token should be returned from the OIDC Authorization endpoint
*/
return_access_token_from_authorization_endpoint?: boolean;
/**
* If an ID Token should be returned from the OIDC Authorization endpoint
*/
return_id_token_from_authorization_endpoint?: boolean;
}
export interface RefreshTokenOptions {
/**
* How long a refresh token will be valid for after creation. Valid units are
* m,h,d. Must be longer than 1m.
*/
lifetime?: string;
}
}
}
export interface BrowserSSHApplication {
/**
* The domain and path that Access will secure.
*/
domain: string;
/**
* The application type.
*/
type: string;
/**
* UUID.
*/
id?: string;
/**
* Enables loading application content in an iFrame.
*/
allow_iframe?: boolean;
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
*/
allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>;
/**
* Displays the application in the App Launcher.
*/
app_launcher_visible?: boolean;
/**
* Audience tag.
*/
aud?: string;
/**
* When set to `true`, users skip the identity provider selection step during
* login. You must specify only one identity provider in allowed_idps.
*/
auto_redirect_to_identity?: boolean;
cors_headers?: BrowserSSHApplication.CORSHeaders;
created_at?: string;
/**
* The custom error message shown to a user when they are denied access to the
* application.
*/
custom_deny_message?: string;
/**
* The custom URL a user is redirected to when they are denied access to the
* application.
*/
custom_deny_url?: string;
/**
* Enables the binding cookie, which increases security against compromised
* authorization tokens and CSRF attacks.
*/
enable_binding_cookie?: boolean;
/**
* Enables the HttpOnly cookie attribute, which increases security against XSS
* attacks.
*/
http_only_cookie_attribute?: boolean;
/**
* The image URL for the logo shown in the App Launcher dashboard.
*/
logo_url?: string;
/**
* The name of the application.
*/
name?: string;
/**
* Allows options preflight requests to bypass Access authentication and go
* directly to the origin. Cannot turn on if cors_headers is set.
*/
options_preflight_bypass?: boolean;
/**
* Sets the SameSite cookie setting, which provides increased security against CSRF
* attacks.
*/
same_site_cookie_attribute?: string;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
/**
* Returns a 401 status code when the request is blocked by a Service Auth policy.
*/
service_auth_401_redirect?: boolean;
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
* s, m, h.
*/
session_duration?: string;
/**
* Enables automatic authentication through cloudflared.
*/
skip_interstitial?: boolean;
updated_at?: string;
}
export namespace BrowserSSHApplication {
export interface CORSHeaders {
/**
* Allows all HTTP request headers.
*/
allow_all_headers?: boolean;
/**
* Allows all HTTP request methods.
*/
allow_all_methods?: boolean;
/**
* Allows all origins.
*/
allow_all_origins?: boolean;
/**
* When set to `true`, includes credentials (cookies, authorization headers, or TLS
* client certificates) with requests.
*/
allow_credentials?: boolean;
/**
* Allowed HTTP request headers.
*/
allowed_headers?: Array<unknown>;
/**
* Allowed HTTP request methods.
*/
allowed_methods?: Array<ApplicationsAPI.AllowedMethods>;
/**
* Allowed origins.
*/
allowed_origins?: Array<unknown>;
/**
* The maximum number of seconds the results of a preflight request can be cached.
*/
max_age?: number;
}
}
export interface BrowserVNCApplication {
/**
* The domain and path that Access will secure.
*/
domain: string;
/**
* The application type.
*/
type: string;
/**
* UUID.
*/
id?: string;
/**
* Enables loading application content in an iFrame.
*/
allow_iframe?: boolean;
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
*/
allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>;
/**
* Displays the application in the App Launcher.
*/
app_launcher_visible?: boolean;
/**
* Audience tag.
*/
aud?: string;
/**
* When set to `true`, users skip the identity provider selection step during
* login. You must specify only one identity provider in allowed_idps.
*/
auto_redirect_to_identity?: boolean;
cors_headers?: BrowserVNCApplication.CORSHeaders;
created_at?: string;
/**
* The custom error message shown to a user when they are denied access to the
* application.
*/
custom_deny_message?: string;
/**
* The custom URL a user is redirected to when they are denied access to the
* application.
*/
custom_deny_url?: string;
/**
* Enables the binding cookie, which increases security against compromised
* authorization tokens and CSRF attacks.
*/
enable_binding_cookie?: boolean;
/**
* Enables the HttpOnly cookie attribute, which increases security against XSS
* attacks.
*/
http_only_cookie_attribute?: boolean;
/**
* The image URL for the logo shown in the App Launcher dashboard.
*/
logo_url?: string;
/**
* The name of the application.
*/
name?: string;
/**
* Allows options preflight requests to bypass Access authentication and go
* directly to the origin. Cannot turn on if cors_headers is set.
*/
options_preflight_bypass?: boolean;
/**
* Sets the SameSite cookie setting, which provides increased security against CSRF
* attacks.
*/
same_site_cookie_attribute?: string;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
/**
* Returns a 401 status code when the request is blocked by a Service Auth policy.
*/
service_auth_401_redirect?: boolean;
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
* s, m, h.
*/
session_duration?: string;
/**
* Enables automatic authentication through cloudflared.
*/
skip_interstitial?: boolean;
updated_at?: string;
}
export namespace BrowserVNCApplication {
export interface CORSHeaders {
/**
* Allows all HTTP request headers.
*/
allow_all_headers?: boolean;
/**
* Allows all HTTP request methods.
*/
allow_all_methods?: boolean;
/**
* Allows all origins.
*/
allow_all_origins?: boolean;
/**
* When set to `true`, includes credentials (cookies, authorization headers, or TLS
* client certificates) with requests.
*/
allow_credentials?: boolean;
/**
* Allowed HTTP request headers.
*/
allowed_headers?: Array<unknown>;
/**
* Allowed HTTP request methods.
*/
allowed_methods?: Array<ApplicationsAPI.AllowedMethods>;
/**
* Allowed origins.
*/
allowed_origins?: Array<unknown>;
/**
* The maximum number of seconds the results of a preflight request can be cached.
*/
max_age?: number;
}
}
export interface AppLauncherApplication {
/**
* The application type.
*/
type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso';
/**
* UUID.
*/
id?: string;
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
*/
allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>;
/**
* Audience tag.
*/
aud?: string;
/**
* When set to `true`, users skip the identity provider selection step during
* login. You must specify only one identity provider in allowed_idps.
*/
auto_redirect_to_identity?: boolean;
created_at?: string;
/**
* The domain and path that Access will secure.
*/
domain?: string;
/**
* The name of the application.
*/
name?: string;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
* s, m, h.
*/
session_duration?: string;
updated_at?: string;
}
export interface DeviceEnrollmentPermissionsApplication {
/**
* The application type.
*/
type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso';
/**
* UUID.
*/
id?: string;
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
*/
allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>;
/**
* Audience tag.
*/
aud?: string;
/**
* When set to `true`, users skip the identity provider selection step during
* login. You must specify only one identity provider in allowed_idps.
*/
auto_redirect_to_identity?: boolean;
created_at?: string;
/**
* The domain and path that Access will secure.
*/
domain?: string;
/**
* The name of the application.
*/
name?: string;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
* s, m, h.
*/
session_duration?: string;
updated_at?: string;
}
export interface BrowserIsolationPermissionsApplication {
/**
* The application type.
*/
type: 'self_hosted' | 'saas' | 'ssh' | 'vnc' | 'app_launcher' | 'warp' | 'biso' | 'bookmark' | 'dash_sso';
/**
* UUID.
*/
id?: string;
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
*/
allowed_idps?: Array<ApplicationsAPI.AllowedIdPs>;
/**
* Audience tag.
*/
aud?: string;
/**
* When set to `true`, users skip the identity provider selection step during
* login. You must specify only one identity provider in allowed_idps.
*/
auto_redirect_to_identity?: boolean;
created_at?: string;
/**
* The domain and path that Access will secure.
*/
domain?: string;
/**
* The name of the application.
*/
name?: string;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
* s, m, h.
*/
session_duration?: string;
updated_at?: string;
}
export interface BookmarkApplication {
/**
* The URL or domain of the bookmark.
*/
domain: string;
/**
* The application type.
*/
type: string;
/**
* UUID.
*/
id?: string;
app_launcher_visible?: unknown;
/**
* Audience tag.
*/
aud?: string;
created_at?: string;
/**
* The image URL for the logo shown in the App Launcher dashboard.
*/
logo_url?: string;
/**
* The name of the application.
*/
name?: string;
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
scim_config?: ApplicationsAPI.ApplicationSCIMConfig;
updated_at?: string;
}
}
export interface ApplicationPolicy {
/**
* The UUID of the policy
*/
id?: string;
/**
* Administrators who can approve a temporary authentication request.
*/
approval_groups?: Array<PoliciesAPI.ApprovalGroup>;
/**
* Requires the user to request access from an administrator at the start of each
* session.
*/
approval_required?: boolean;
created_at?: string;
/**
* The action Access will take if a user matches this policy. Infrastructure
* application policies can only use the Allow action.
*/
decision?: Decision;
/**
* Rules evaluated with a NOT logical operator. To match the policy, a user cannot
* meet any of the Exclude rules.
*/
exclude?: Array<ApplicationsPoliciesAPI.AccessRule>;
/**
* Rules evaluated with an OR logical operator. A user needs to meet only one of
* the Include rules.
*/
include?: Array<ApplicationsPoliciesAPI.AccessRule>;
/**
* Require this application to be served in an isolated browser for users matching
* this policy. 'Client Web Isolation' must be on for the account in order to use
* this feature.
*/
isolation_required?: boolean;
/**
* The name of the Access policy.
*/
name?: string;
/**
* A custom message that will appear on the purpose justification screen.
*/
purpose_justification_prompt?: string;
/**
* Require users to enter a justification when they log in to the application.
*/
purpose_justification_required?: boolean;
/**
* Rules evaluated with an AND logical operator. To match the policy, a user must
* meet all of the Require rules.
*/
require?: Array<ApplicationsPoliciesAPI.AccessRule>;
/**
* The amount of time that tokens issued for the application will be valid. Must be
* in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
* m, h.
*/
session_duration?: string;
updated_at?: string;
}
/**
* Configuration for provisioning to this application via SCIM. This is currently
* in closed beta.
*/
export interface ApplicationSCIMConfig {
/**
* The UID of the IdP to use as the source for SCIM resources to provision to this
* application.
*/
idp_uid: string;
/**
* The base URI for the application's SCIM-compatible API.
*/
remote_uri: string;
/**
* Attributes for configuring HTTP Basic authentication scheme for SCIM
* provisioning to an application.
*/
authentication?:
| SCIMConfigAuthenticationHTTPBasic
| ApplicationSCIMConfig.AccessSchemasSCIMConfigAuthenticationOAuthBearerToken
| SCIMConfigAuthenticationOauth2
| ApplicationSCIMConfig.AccessSCIMConfigAuthenticationAccessServiceToken
| Array<
| SCIMConfigAuthenticationHTTPBasic
| ApplicationSCIMConfig.AccessSchemasSCIMConfigAuthenticationOAuthBearerToken
| SCIMConfigAuthenticationOauth2
| ApplicationSCIMConfig.AccessSCIMConfigAuthenticationAccessServiceToken
>;
/**
* If false, we propagate DELETE requests to the target application for SCIM
* resources. If true, we only set `active` to false on the SCIM resource. This is
* useful because some targets do not support DELETE operations.
*/
deactivate_on_delete?: boolean;
/**
* Whether SCIM provisioning is turned on for this application.
*/
enabled?: boolean;
/**
* A list of mappings to apply to SCIM resources before provisioning them in this
* application. These can transform or filter the resources to be provisioned.
*/
mappings?: Array<SCIMConfigMapping>;
}
export namespace ApplicationSCIMConfig {
/**
* Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
* provisioning to an application.
*/
export interface AccessSchemasSCIMConfigAuthenticationOAuthBearerToken {
/**
* Token used to authenticate with the remote SCIM service.
*/
token: string;
/**
* The authentication scheme to use when making SCIM requests to this application.
*/
scheme: 'oauthbearertoken';
}
/**
* Attributes for configuring Access Service Token authentication scheme for SCIM
* provisioning to an application.
*/
export interface AccessSCIMConfigAuthenticationAccessServiceToken {
/**
* Client ID of the Access service token used to authenticate with the remote
* service.
*/
client_id: string;
/**
* Client secret of the Access service token used to authenticate with the remote
* service.
*/
client_secret: string;
/**
* The authentication scheme to use when making SCIM requests to this application.
*/
scheme: 'access_service_token';
}
/**
* Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
* provisioning to an application.
*/
export interface AccessSchemasSCIMConfigAuthenticationOAuthBearerToken {
/**
* Token used to authenticate with the remote SCIM service.
*/
token: string;
/**
* The authentication scheme to use when making SCIM requests to this application.
*/
scheme: 'oauthbearertoken';
}
/**
* Attributes for configuring Access Service Token authentication scheme for SCIM
* provisioning to an application.
*/
export interface AccessSCIMConfigAuthenticationAccessServiceToken {
/**
* Client ID of the Access service token used to authenticate with the remote
* service.
*/
client_id: string;
/**
* Client secret of the Access service token used to authenticate with the remote
* service.
*/
client_secret: string;
/**
* The authentication scheme to use when making SCIM requests to this application.
*/
scheme: 'access_service_token';
}
}
/**
* The application type.
*/
export type ApplicationType =
| 'self_hosted'
| 'saas'
| 'ssh'
| 'vnc'
| 'app_launcher'
| 'warp'
| 'biso'
| 'bookmark'
| 'dash_sso'
| 'infrastructure'
| 'rdp';
/**
* The application type.
*/
export type ApplicationTypeParam =
| 'self_hosted'
| 'saas'
| 'ssh'
| 'vnc'
| 'app_launcher'
| 'warp'
| 'biso'
| 'bookmark'
| 'dash_sso'
| 'infrastructure'
| 'rdp';
export interface CORSHeaders {
/**
* Allows all HTTP request headers.
*/
allow_all_headers?: boolean;
/**
* Allows all HTTP request methods.
*/
allow_all_methods?: boolean;
/**
* Allows all origins.
*/
allow_all_origins?: boolean;
/**
* When set to `true`, includes credentials (cookies, authorization headers, or TLS
* client certificates) with requests.
*/
allow_credentials?: boolean;
/**
* Allowed HTTP request headers.
*/
allowed_headers?: Array<AllowedHeaders>;
/**
* Allowed HTTP request methods.
*/
allowed_methods?: Array<AllowedMethods>;
/**
* Allowed origins.
*/
allowed_origins?: Array<AllowedOrigins>;
/**
* The maximum number of seconds the results of a preflight request can be cached.
*/
max_age?: number;
}
export interface CORSHeadersParam {
/**
* Allows all HTTP request headers.
*/
allow_all_headers?: boolean;
/**
* Allows all HTTP request methods.
*/
allow_all_methods?: boolean;
/**
* Allows all origins.
*/
allow_all_origins?: boolean;
/**
* When set to `true`, includes credentials (cookies, authorization headers, or TLS
* client certificates) with requests.
*/
allow_credentials?: boolean;
/**
* Allowed HTTP request headers.
*/
allowed_headers?: Array<AllowedHeadersParam>;
/**
* Allowed HTTP request methods.
*/
allowed_methods?: Array<AllowedMethodsParam>;
/**
* Allowed origins.
*/
allowed_origins?: Array<AllowedOriginsParam>;
/**
* The maximum number of seconds the results of a preflight request can be cached.
*/
max_age?: number;
}
/**
* The action Access will take if a user matches this policy. Infrastructure
* application policies can only use the Allow action.
*/
export type Decision = 'allow' | 'deny' | 'non_identity' | 'bypass';
/**
* The action Access will take if a user matches this policy. Infrastructure
* application policies can only use the Allow action.
*/
export type DecisionParam = 'allow' | 'deny' | 'non_identity' | 'bypass';
export interface OIDCSaaSApp {
/**
* The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must
* be greater than or equal to 1m and less than or equal to 24h.
*/
access_token_lifetime?: string;
/**
* If client secret should be required on the token endpoint when
* authorization_code_with_pkce grant is used.
*/
allow_pkce_without_client_secret?: boolean;
/**
* The URL where this applications tile redirects users
*/
app_launcher_url?: string;
/**
* Identifier of the authentication protocol used for the saas app. Required for
* OIDC.
*/
auth_type?: 'saml' | 'oidc';
/**
* The application client id
*/
client_id?: string;
/**
* The application client secret, only returned on POST request.
*/
client_secret?: string;
custom_claims?: Array<OIDCSaaSApp.CustomClaim>;
/**
* The OIDC flows supported by this application
*/
grant_types?: Array<
'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens' | 'hybrid' | 'implicit'
>;
/**
* A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
*/
group_filter_regex?: string;
hybrid_and_implicit_options?: OIDCSaaSApp.HybridAndImplicitOptions;
/**
* The Access public certificate that will be used to verify your identity.
*/
public_key?: string;
/**
* The permitted URL's for Cloudflare to return Authorization codes and Access/ID
* tokens
*/
redirect_uris?: Array<string>;
refresh_token_options?: OIDCSaaSApp.RefreshTokenOptions;
/**
* Define the user information shared with access, "offline_access" scope will be
* automatically enabled if refresh tokens are enabled
*/
scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>;
}
export namespace OIDCSaaSApp {
export interface CustomClaim {
/**
* The name of the claim.
*/
name?: string;
/**
* If the claim is required when building an OIDC token.
*/
required?: boolean;
/**
* The scope of the claim.
*/
scope?: 'groups' | 'profile' | 'email' | 'openid';
source?: CustomClaim.Source;
}
export namespace CustomClaim {
export interface Source {
/**
* The name of the IdP claim.
*/
name?: string;
/**
* A mapping from IdP ID to claim name.
*/
name_by_idp?: { [key: string]: string };
}
}
export interface HybridAndImplicitOptions {
/**
* If an Access Token should be returned from the OIDC Authorization endpoint
*/
return_access_token_from_authorization_endpoint?: boolean;
/**
* If an ID Token should be returned from the OIDC Authorization endpoint
*/
return_id_token_from_authorization_endpoint?: boolean;
}
export interface RefreshTokenOptions {
/**
* How long a refresh token will be valid for after creation. Valid units are
* m,h,d. Must be longer than 1m.
*/
lifetime?: string;
}
}
export interface OIDCSaaSAppParam {
/**
* The lifetime of the OIDC Access Token after creation. Valid units are m,h. Must
* be greater than or equal to 1m and less than or equal to 24h.
*/
access_token_lifetime?: string;
/**
* If client secret should be required on the token endpoint when
* authorization_code_with_pkce grant is used.
*/
allow_pkce_without_client_secret?: boolean;
/**
* The URL where this applications tile redirects users
*/
app_launcher_url?: string;
/**
* Identifier of the authentication protocol used for the saas app. Required for
* OIDC.
*/
auth_type?: 'saml' | 'oidc';
/**
* The application client id
*/
client_id?: string;
/**
* The application client secret, only returned on POST request.
*/
client_secret?: string;
custom_claims?: Array<OIDCSaaSAppParam.CustomClaim>;
/**
* The OIDC flows supported by this application
*/
grant_types?: Array<
'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens' | 'hybrid' | 'implicit'
>;
/**
* A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
*/
group_filter_regex?: string;
hybrid_and_implicit_options?: OIDCSaaSAppParam.HybridAndImplicitOptions;
/**
* The Access public certificate that will be used to verify your identity.
*/
public_key?: string;
/**
* The permitted URL's for Cloudflare to return Authorization codes an