Cloudflare/access
@swamp/cloudflare/accessv2026.05.22.1
01README
Cloudflare access infrastructure models
02Release Notes
- Added: portals
- Added: servers
- Added: apps
- Added: certificates
- Added: custom_pages
- Added: groups
- Added: identity_providers
- Added: policies
- Added: policy-tests
- Added: service_tokens
- Added: tags
- Added: users
03Models
apps.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id? | string | Cloudflare account ID (provide account_id or zone_id) |
| zone_id? | string | Cloudflare zone ID (provide account_id or zone_id) |
| allow_authenticate_via_warp? | boolean | When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. |
| allow_iframe? | boolean | Enables loading application content in an iFrame. |
| allowed_idps? | array | The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. |
| app_launcher_visible? | boolean | Displays the application in the App Launcher. |
| auto_redirect_to_identity? | boolean | When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. |
| cors_headers? | object | |
| custom_deny_message? | string | The custom error message shown to a user when they are denied access to the application. |
| custom_deny_url? | string | The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. |
| custom_non_identity_deny_url? | string | The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. |
| custom_pages? | array | The custom pages that will be displayed when applicable for this application |
| destinations? | array | List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.\n |
| domain? | string | The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. |
| enable_binding_cookie? | boolean | Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. |
| http_only_cookie_attribute? | boolean | Enables the HttpOnly cookie attribute, which increases security against XSS attacks. |
| logo_url? | string | The image URL for the logo shown in the App Launcher dashboard. |
| mfa_config? | object | Configures multi-factor authentication (MFA) settings. |
| name? | string | The name of the application. |
| oauth_configuration? | object | **Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.\n |
| options_preflight_bypass? | boolean | Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. |
| path_cookie_attribute? | boolean | Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default |
| read_service_tokens_from_header? | string | Allows matching Access Service Tokens passed HTTP in a single header with this name.\nThis works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers.\nThe header value will be interpreted as a json object similar to:\n {\n "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com",\n "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5"\n }\n |
| same_site_cookie_attribute? | string | Sets the SameSite cookie setting, which provides increased security against CSRF attacks. |
| scim_config? | object | Configuration for provisioning to this application via SCIM. This is currently in closed beta. |
| self_hosted_domains? | array | List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.\n |
| service_auth_401_redirect? | boolean | Returns a 401 status code when the request is blocked by a Service Auth policy. |
| session_duration? | string | The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. |
| skip_interstitial? | boolean | Enables automatic authentication through cloudflared. |
| tags? | array | The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. |
| type | string | The application type. |
| use_clientless_isolation_app_launcher_url? | boolean | Determines if users can access this application via a clientless browser isolation URL.\nThis allows users to access private domains without connecting to Gateway. The option requires\nClientless Browser Isolation to be set up with policies that allow users of this application.\n |
| policies? | array | The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. Reusable and inline policies are mutually exclusive. |
| saas_app? | object | |
| app_launcher_logo_url? | string | The image URL of the logo shown in the App Launcher header. |
| bg_color? | string | The background color of the App Launcher page. |
| footer_links? | array | The links in the App Launcher footer. |
| header_bg_color? | string | The background color of the App Launcher header. |
| landing_page_design? | object | The design of the App Launcher landing page shown to users when they log in. |
| skip_app_launcher_login_page? | boolean | Determines when to skip the App Launcher landing page. |
| target_criteria? | array |
fn create()
Create a Apps
fn get(id: string)
Get a Apps
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Apps |
fn update()
Update Apps attributes
fn delete(id: string)
Delete the Apps
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Apps |
fn sync()
Sync Apps state from Cloudflare
certificates.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id? | string | Cloudflare account ID (provide account_id or zone_id) |
| zone_id? | string | Cloudflare zone ID (provide account_id or zone_id) |
| associated_hostnames? | array | The hostnames of the applications that will use this certificate. |
| name | string | The name of the certificate. |
| certificate | string | The certificate content. |
fn create()
Create a Certificates
fn get(id: string)
Get a Certificates
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Certificates |
fn update()
Update Certificates attributes
fn delete(id: string)
Delete the Certificates
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Certificates |
fn sync()
Sync Certificates state from Cloudflare
custom_pages.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id | string | Cloudflare account ID |
| app_count? | number | Number of apps the custom page is assigned to. |
| created_at? | string | |
| custom_html | string | Custom page HTML. |
| name | string | Custom page name. |
| type | enum | Custom page type. |
| uid? | string | UUID. |
| updated_at? | string |
fn create()
Create a Custom Pages
fn get(id: string)
Get a Custom Pages
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Custom Pages |
fn update()
Update Custom Pages attributes
fn delete(id: string)
Delete the Custom Pages
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Custom Pages |
fn sync()
Sync Custom Pages state from Cloudflare
groups.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id? | string | Cloudflare account ID (provide account_id or zone_id) |
| zone_id? | string | Cloudflare zone ID (provide account_id or zone_id) |
| exclude? | array | Rules evaluated with a NOT logical operator. To match a policy, a user cannot meet any of the Exclude rules. |
| include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. |
| is_default? | boolean | Whether this is the default group |
| name | string | The name of the Access group. |
| require? | array | Rules evaluated with an AND logical operator. To match a policy, a user must meet all of the Require rules. |
fn create()
Create a Groups
fn get(id: string)
Get a Groups
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Groups |
fn update()
Update Groups attributes
fn delete(id: string)
Delete the Groups
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Groups |
fn sync()
Sync Groups state from Cloudflare
identity_providers.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id? | string | Cloudflare account ID (provide account_id or zone_id) |
| zone_id? | string | Cloudflare zone ID (provide account_id or zone_id) |
| config? | object | |
| id? | string | UUID. |
| name | string | The name of the identity provider, shown to users on the login page. |
| saml_certificate_set? | object | A SAML encryption certificate set containing current and optionally previous certificates for encryption key rotation. |
| saml_certificate_set_id? | string | The UID of the SAML encryption certificate set assigned to this Identity Provider.\nOnly present for SAML identity providers with encryption configured.\nCreate a certificate set via POST to `/identity_providers/{id}/saml_certificate`.\n |
| scim_config? | object | The configuration settings for enabling a System for Cross-Domain Identity Management (SCIM) with the identity provider. |
| type | enum | The type of identity provider. To determine the value for a specific provider, refer to our [developer documentation](https://developers.cloudflare.com/cloudflare-one/identity/idp-integration/). |
fn create()
Create a Identity Providers
fn get(id: string)
Get a Identity Providers
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Identity Providers |
fn update()
Update Identity Providers attributes
fn delete(id: string)
Delete the Identity Providers
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Identity Providers |
fn sync()
Sync Identity Providers state from Cloudflare
policies.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id | string | Cloudflare account ID |
| decision | enum | The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. |
| exclude? | array | Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. |
| include | array | Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. |
| name | string | The name of the Access policy. |
| require? | array | Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. |
fn create()
Create a Policies
fn get(id: string)
Get a Policies
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Policies |
fn update()
Update Policies attributes
fn delete(id: string)
Delete the Policies
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Policies |
fn sync()
Sync Policies state from Cloudflare
policy-tests.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id | string | Cloudflare account ID |
| name | string | Instance name for this resource (used as the unique identifier in the factory pattern) |
| policies? | array |
fn create()
Create a Policy-tests
fn get(id: string)
Get a Policy-tests
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Policy-tests |
fn sync()
Sync Policy-tests state from Cloudflare
portals.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id | string | Cloudflare account ID |
| allow_code_mode? | boolean | Allow remote code execution in Dynamic Workers (beta) |
| description? | string | |
| hostname | string | |
| name | string | |
| secure_web_gateway? | boolean | Route outbound MCP traffic through Zero Trust Secure Web Gateway |
| servers? | array | |
| id | string | portal id |
fn create()
Create a Portals
fn get(id: string)
Get a Portals
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Portals |
fn update()
Update Portals attributes
fn delete(id: string)
Delete the Portals
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Portals |
fn sync()
Sync Portals state from Cloudflare
servers.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id | string | Cloudflare account ID |
| auth_credentials? | string | |
| description? | string | |
| is_shared_oauth_callback_enabled? | boolean | When true, the gateway worker uses the shared Cloudflare-owned OAuth callback endpoint as the redirect_uri for upstream on-behalf OAuth, instead of the customer portal hostname. New servers default to true; existing servers default to false. Effective behavior is gated by the gateway worker's per-env rollout mode KV key. |
| name | string | |
| updated_prompts? | array | |
| updated_tools? | array | |
| auth_type | enum | |
| hostname | string | |
| id | string | server id |
fn create()
Create a Servers
fn get(id: string)
Get a Servers
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Servers |
fn update()
Update Servers attributes
fn delete(id: string)
Delete the Servers
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Servers |
fn sync()
Sync Servers state from Cloudflare
service_tokens.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id? | string | Cloudflare account ID (provide account_id or zone_id) |
| zone_id? | string | Cloudflare zone ID (provide account_id or zone_id) |
| client_secret_version? | number | A version number identifying the current `client_secret` associated with the service token. Incrementing it triggers a rotation; the previous secret will still be accepted until the time indicated by `previous_client_secret_expires_at`. |
| duration? | string | The duration for how long the service token will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. The default is 1 year in hours (8760h). |
| name | string | The name of the service token. |
| previous_client_secret_expires_at? | string | The expiration of the previous `client_secret`. This can be modified at any point after a rotation. For example, you may extend it further into the future if you need more time to update services with the new secret; or move it into the past to immediately invalidate the previous token in case of compromise. |
fn create()
Create a Service Tokens
fn get(id: string)
Get a Service Tokens
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Service Tokens |
fn update()
Update Service Tokens attributes
fn delete(id: string)
Delete the Service Tokens
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Service Tokens |
fn sync()
Sync Service Tokens state from Cloudflare
tags.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id | string | Cloudflare account ID |
| created_at? | string | |
| name? | string | The name of the tag |
| updated_at? | string |
fn create()
Create a Tags
fn get(id: string)
Get a Tags
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Tags |
fn update()
Update Tags attributes
fn delete(id: string)
Delete the Tags
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Tags |
fn sync()
Sync Tags state from Cloudflare
users.tsv2026.05.22.1
Global Arguments
| Argument | Type | Description |
|---|---|---|
| account_id | string | Cloudflare account ID |
| string | The email of the user. | |
| name? | string | The name of the user. |
fn create()
Create a Users
fn get(id: string)
Get a Users
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Users |
fn update()
Update Users attributes
fn delete(id: string)
Delete the Users
| Argument | Type | Description |
|---|---|---|
| id | string | The ID of the Users |
fn sync()
Sync Users state from Cloudflare
04Stats
A
100 / 100
Downloads
0
Archive size
41.6 KB
Verified by Swamp
- Has README or module doc2/2earned
- README has a code example1/1earned
- README is substantive1/1earned
- Most symbols documented1/1earned
- No slow types1/1earned
- Dependencies pass trust audit2/2earned
- Has description1/1earned
- Platform support declared (or universal)2/2earned
- License declared1/1earned
- Verified public repository2/2earned
05Platforms
06Labels