From 7cc4cec11f2f11fb65027ca1c4aefe8019b7d514 Mon Sep 17 00:00:00 2001
From: "stainless-app[bot]"
<142633134+stainless-app[bot]@users.noreply.github.com>
Date: Thu, 9 May 2024 18:06:30 +0000
Subject: [PATCH 001/473] feat(api): OpenAPI spec update via Stainless API
(#497)
---
.stats.yml | 2 +-
api.md | 27 +-
src/resources/calls.ts | 17 +-
.../cloudforce-one/requests/message.ts | 22 +-
.../cloudforce-one/requests/priority.ts | 22 +-
.../cloudforce-one/requests/requests.ts | 22 +-
.../intel/indicator-feeds/indicator-feeds.ts | 2 +-
src/resources/radar/http/ases/ases.ts | 5 +
src/resources/radar/http/ases/bot-class.ts | 5 +
src/resources/radar/http/ases/device-type.ts | 5 +
src/resources/radar/http/ases/http-method.ts | 5 +
.../radar/http/ases/http-protocol.ts | 5 +
src/resources/radar/http/ases/ip-version.ts | 5 +
src/resources/radar/http/ases/os.ts | 5 +
src/resources/radar/http/ases/tls-version.ts | 5 +
.../radar/http/locations/bot-class.ts | 5 +
.../radar/http/locations/device-type.ts | 5 +
.../radar/http/locations/http-method.ts | 5 +
.../radar/http/locations/http-protocol.ts | 5 +
.../radar/http/locations/ip-version.ts | 5 +
.../radar/http/locations/locations.ts | 5 +
src/resources/radar/http/locations/os.ts | 5 +
.../radar/http/locations/tls-version.ts | 5 +
src/resources/radar/http/top.ts | 10 +
src/resources/rulesets/phases/phases.ts | 327 +
src/resources/rulesets/phases/versions.ts | 114 +
src/resources/rulesets/rules.ts | 620 +-
src/resources/rulesets/rulesets.ts | 540 +
src/resources/rulesets/versions/by-tag.ts | 114 +
src/resources/rulesets/versions/versions.ts | 114 +
src/resources/zero-trust/access/access.ts | 6 +-
.../access/applications/applications.ts | 15061 +++++++++++++++-
.../zero-trust/access/applications/index.ts | 12 +-
.../access/applications/policies.ts | 374 +-
src/resources/zero-trust/access/index.ts | 6 +-
.../indicator-feeds/indicator-feeds.test.ts | 2 +-
.../radar/http/ases/ases.test.ts | 1 +
.../radar/http/ases/bot-class.test.ts | 1 +
.../radar/http/ases/device-type.test.ts | 1 +
.../radar/http/ases/http-method.test.ts | 1 +
.../radar/http/ases/http-protocol.test.ts | 1 +
.../radar/http/ases/ip-version.test.ts | 1 +
.../api-resources/radar/http/ases/os.test.ts | 1 +
.../radar/http/ases/tls-version.test.ts | 1 +
.../radar/http/locations/bot-class.test.ts | 1 +
.../radar/http/locations/device-type.test.ts | 1 +
.../radar/http/locations/http-method.test.ts | 1 +
.../http/locations/http-protocol.test.ts | 1 +
.../radar/http/locations/ip-version.test.ts | 1 +
.../radar/http/locations/locations.test.ts | 1 +
.../radar/http/locations/os.test.ts | 1 +
.../radar/http/locations/tls-version.test.ts | 1 +
tests/api-resources/radar/http/top.test.ts | 2 +
.../access/applications/applications.test.ts | 10 +
54 files changed, 17129 insertions(+), 393 deletions(-)
diff --git a/.stats.yml b/.stats.yml
index b162e09939..9dfc386c5a 100644
--- a/.stats.yml
+++ b/.stats.yml
@@ -1,2 +1,2 @@
configured_endpoints: 1274
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-07ec76fab00de3d6227209faf0af1ed586cde9e2f243c13d3db555da20f13d99.yml
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-88d076c2683d7002e7743172b9488fb67d1a07b61995921f27209e01b224af60.yml
diff --git a/api.md b/api.md
index 6a395e187f..7320b0fdef 100644
--- a/api.md
+++ b/api.md
@@ -4414,16 +4414,20 @@ Types:
- SaaSAppSource
- SAMLSaaSApp
- SelfHostedDomains
+- ApplicationCreateResponse
+- ApplicationUpdateResponse
+- ApplicationListResponse
- ApplicationDeleteResponse
+- ApplicationGetResponse
- ApplicationRevokeTokensResponse
Methods:
-- client.zeroTrust.access.applications.create({ ...params }) -> Application
-- client.zeroTrust.access.applications.update(appId, { ...params }) -> Application
-- client.zeroTrust.access.applications.list({ ...params }) -> ApplicationsSinglePage
+- client.zeroTrust.access.applications.create({ ...params }) -> ApplicationCreateResponse
+- client.zeroTrust.access.applications.update(appId, { ...params }) -> ApplicationUpdateResponse
+- client.zeroTrust.access.applications.list({ ...params }) -> ApplicationListResponsesSinglePage
- client.zeroTrust.access.applications.delete(appId, { ...params }) -> ApplicationDeleteResponse
-- client.zeroTrust.access.applications.get(appId, { ...params }) -> Application
+- client.zeroTrust.access.applications.get(appId, { ...params }) -> ApplicationGetResponse
- client.zeroTrust.access.applications.revokeTokens(appId, { ...params }) -> ApplicationRevokeTokensResponse | null
#### CAs
@@ -4459,15 +4463,19 @@ Types:
- ApprovalGroup
- Policy
+- PolicyCreateResponse
+- PolicyUpdateResponse
+- PolicyListResponse
- PolicyDeleteResponse
+- PolicyGetResponse
Methods:
-- client.zeroTrust.access.applications.policies.create(uuid, { ...params }) -> Policy
-- client.zeroTrust.access.applications.policies.update(uuid1, uuid, { ...params }) -> Policy
-- client.zeroTrust.access.applications.policies.list(uuid, { ...params }) -> PoliciesSinglePage
+- client.zeroTrust.access.applications.policies.create(uuid, { ...params }) -> PolicyCreateResponse
+- client.zeroTrust.access.applications.policies.update(uuid1, uuid, { ...params }) -> PolicyUpdateResponse
+- client.zeroTrust.access.applications.policies.list(uuid, { ...params }) -> PolicyListResponsesSinglePage
- client.zeroTrust.access.applications.policies.delete(uuid1, uuid, { ...params }) -> PolicyDeleteResponse
-- client.zeroTrust.access.applications.policies.get(uuid1, uuid, { ...params }) -> Policy
+- client.zeroTrust.access.applications.policies.get(uuid1, uuid, { ...params }) -> PolicyGetResponse
### Certificates
@@ -6350,12 +6358,13 @@ Types:
- CallsApp
- CallsAppWithSecret
+- CallListResponse
Methods:
- client.calls.create({ ...params }) -> CallsAppWithSecret
- client.calls.update(appId, { ...params }) -> CallsApp
-- client.calls.list({ ...params }) -> CallsAppsSinglePage
+- client.calls.list({ ...params }) -> CallListResponsesSinglePage
- client.calls.delete(appId, { ...params }) -> CallsApp
- client.calls.get(appId, { ...params }) -> CallsApp
diff --git a/src/resources/calls.ts b/src/resources/calls.ts
index 0d638360ad..59ca0fee2f 100644
--- a/src/resources/calls.ts
+++ b/src/resources/calls.ts
@@ -37,9 +37,13 @@ export class Calls extends APIResource {
list(
params: CallListParams,
options?: Core.RequestOptions,
- ): Core.PagePromise {
+ ): Core.PagePromise {
const { account_id } = params;
- return this._client.getAPIList(`/accounts/${account_id}/calls/apps`, CallsAppsSinglePage, options);
+ return this._client.getAPIList(
+ `/accounts/${account_id}/calls/apps`,
+ CallListResponsesSinglePage,
+ options,
+ );
}
/**
@@ -67,7 +71,7 @@ export class Calls extends APIResource {
}
}
-export class CallsAppsSinglePage extends SinglePage {}
+export class CallListResponsesSinglePage extends SinglePage {}
export interface CallsApp {
/**
@@ -108,7 +112,7 @@ export interface CallsAppWithSecret {
name?: string;
/**
- * Bearer token to use the Calls API.
+ * Bearer token
*/
secret?: string;
@@ -118,6 +122,11 @@ export interface CallsAppWithSecret {
uid?: string;
}
+/**
+ * Bearer token
+ */
+export type CallListResponse = string;
+
export interface CallCreateParams {
/**
* Path param: The account identifier tag.
diff --git a/src/resources/cloudforce-one/requests/message.ts b/src/resources/cloudforce-one/requests/message.ts
index 3cacc527cf..22753ec181 100644
--- a/src/resources/cloudforce-one/requests/message.ts
+++ b/src/resources/cloudforce-one/requests/message.ts
@@ -3,7 +3,6 @@
import * as Core from 'cloudflare/core';
import { APIResource } from 'cloudflare/resource';
import * as MessageAPI from 'cloudflare/resources/cloudforce-one/requests/message';
-import * as Shared from 'cloudflare/resources/shared';
export class MessageResource extends APIResource {
/**
@@ -52,10 +51,12 @@ export class MessageResource extends APIResource {
messageIdentifer: number,
options?: Core.RequestOptions,
): Core.APIPromise {
- return this._client.delete(
- `/accounts/${accountIdentifier}/cloudforce-one/requests/${requestIdentifier}/message/${messageIdentifer}`,
- options,
- );
+ return (
+ this._client.delete(
+ `/accounts/${accountIdentifier}/cloudforce-one/requests/${requestIdentifier}/message/${messageIdentifer}`,
+ options,
+ ) as Core.APIPromise<{ result: MessageDeleteResponse }>
+ )._thenUnwrap((obj) => obj.result);
}
/**
@@ -108,16 +109,7 @@ export interface Message {
created?: string;
}
-export interface MessageDeleteResponse {
- errors: Array;
-
- messages: Array;
-
- /**
- * Whether the API call was successful
- */
- success: true;
-}
+export type MessageDeleteResponse = unknown | Array | string;
export type MessageGetResponse = Array;
diff --git a/src/resources/cloudforce-one/requests/priority.ts b/src/resources/cloudforce-one/requests/priority.ts
index 5127074632..9457ae859b 100644
--- a/src/resources/cloudforce-one/requests/priority.ts
+++ b/src/resources/cloudforce-one/requests/priority.ts
@@ -3,7 +3,6 @@
import * as Core from 'cloudflare/core';
import { APIResource } from 'cloudflare/resource';
import * as PriorityAPI from 'cloudflare/resources/cloudforce-one/requests/priority';
-import * as Shared from 'cloudflare/resources/shared';
import * as RequestsAPI from 'cloudflare/resources/cloudforce-one/requests/requests';
export class PriorityResource extends APIResource {
@@ -48,10 +47,12 @@ export class PriorityResource extends APIResource {
priorityIdentifer: string,
options?: Core.RequestOptions,
): Core.APIPromise {
- return this._client.delete(
- `/accounts/${accountIdentifier}/cloudforce-one/requests/priority/${priorityIdentifer}`,
- options,
- );
+ return (
+ this._client.delete(
+ `/accounts/${accountIdentifier}/cloudforce-one/requests/priority/${priorityIdentifer}`,
+ options,
+ ) as Core.APIPromise<{ result: PriorityDeleteResponse }>
+ )._thenUnwrap((obj) => obj.result);
}
/**
@@ -146,16 +147,7 @@ export interface PriorityEdit {
tlp: 'clear' | 'amber' | 'amber-strict' | 'green' | 'red';
}
-export interface PriorityDeleteResponse {
- errors: Array;
-
- messages: Array;
-
- /**
- * Whether the API call was successful
- */
- success: true;
-}
+export type PriorityDeleteResponse = unknown | Array | string;
export interface PriorityCreateParams {
/**
diff --git a/src/resources/cloudforce-one/requests/requests.ts b/src/resources/cloudforce-one/requests/requests.ts
index 0e48eba756..f4a7e06f6f 100644
--- a/src/resources/cloudforce-one/requests/requests.ts
+++ b/src/resources/cloudforce-one/requests/requests.ts
@@ -3,7 +3,6 @@
import * as Core from 'cloudflare/core';
import { APIResource } from 'cloudflare/resource';
import * as RequestsAPI from 'cloudflare/resources/cloudforce-one/requests/requests';
-import * as Shared from 'cloudflare/resources/shared';
import * as MessageAPI from 'cloudflare/resources/cloudforce-one/requests/message';
import * as PriorityAPI from 'cloudflare/resources/cloudforce-one/requests/priority';
import { V4PagePaginationArray, type V4PagePaginationArrayParams } from 'cloudflare/pagination';
@@ -72,10 +71,12 @@ export class Requests extends APIResource {
requestIdentifier: string,
options?: Core.RequestOptions,
): Core.APIPromise {
- return this._client.delete(
- `/accounts/${accountIdentifier}/cloudforce-one/requests/${requestIdentifier}`,
- options,
- );
+ return (
+ this._client.delete(
+ `/accounts/${accountIdentifier}/cloudforce-one/requests/${requestIdentifier}`,
+ options,
+ ) as Core.APIPromise<{ result: RequestDeleteResponse }>
+ )._thenUnwrap((obj) => obj.result);
}
/**
@@ -279,16 +280,7 @@ export interface RequestConstants {
export type RequestTypes = Array;
-export interface RequestDeleteResponse {
- errors: Array;
-
- messages: Array;
-
- /**
- * Whether the API call was successful
- */
- success: true;
-}
+export type RequestDeleteResponse = unknown | Array | string;
export interface RequestCreateParams {
/**
diff --git a/src/resources/intel/indicator-feeds/indicator-feeds.ts b/src/resources/intel/indicator-feeds/indicator-feeds.ts
index 1e5b4cc846..11143246dd 100644
--- a/src/resources/intel/indicator-feeds/indicator-feeds.ts
+++ b/src/resources/intel/indicator-feeds/indicator-feeds.ts
@@ -265,7 +265,7 @@ export interface IndicatorFeedUpdateParams {
/**
* Body param: The new description of the feed
*/
- feed_description?: string;
+ description?: string;
/**
* Body param: The new is_attributable value of the feed
diff --git a/src/resources/radar/http/ases/ases.ts b/src/resources/radar/http/ases/ases.ts
index a651ae97f1..61495dc822 100644
--- a/src/resources/radar/http/ases/ases.ts
+++ b/src/resources/radar/http/ases/ases.ts
@@ -118,6 +118,11 @@ export interface AseGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/ases/bot-class.ts b/src/resources/radar/http/ases/bot-class.ts
index 487d3e5e2d..ed1a437db6 100644
--- a/src/resources/radar/http/ases/bot-class.ts
+++ b/src/resources/radar/http/ases/bot-class.ts
@@ -108,6 +108,11 @@ export interface BotClassGetParams {
*/
asn?: Array;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/ases/device-type.ts b/src/resources/radar/http/ases/device-type.ts
index 4292ac1cdf..e80f6afdb2 100644
--- a/src/resources/radar/http/ases/device-type.ts
+++ b/src/resources/radar/http/ases/device-type.ts
@@ -112,6 +112,11 @@ export interface DeviceTypeGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/ases/http-method.ts b/src/resources/radar/http/ases/http-method.ts
index 3c3932c479..8602551214 100644
--- a/src/resources/radar/http/ases/http-method.ts
+++ b/src/resources/radar/http/ases/http-method.ts
@@ -112,6 +112,11 @@ export interface HTTPMethodGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/ases/http-protocol.ts b/src/resources/radar/http/ases/http-protocol.ts
index 0d05c6a4a1..016b18a786 100644
--- a/src/resources/radar/http/ases/http-protocol.ts
+++ b/src/resources/radar/http/ases/http-protocol.ts
@@ -112,6 +112,11 @@ export interface HTTPProtocolGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/ases/ip-version.ts b/src/resources/radar/http/ases/ip-version.ts
index 8b9bd28012..4f7f77103e 100644
--- a/src/resources/radar/http/ases/ip-version.ts
+++ b/src/resources/radar/http/ases/ip-version.ts
@@ -109,6 +109,11 @@ export interface IPVersionGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/ases/os.ts b/src/resources/radar/http/ases/os.ts
index 1712687567..1e6868aa91 100644
--- a/src/resources/radar/http/ases/os.ts
+++ b/src/resources/radar/http/ases/os.ts
@@ -111,6 +111,11 @@ export interface OSGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/ases/tls-version.ts b/src/resources/radar/http/ases/tls-version.ts
index 7b880c8dbb..666ca7695e 100644
--- a/src/resources/radar/http/ases/tls-version.ts
+++ b/src/resources/radar/http/ases/tls-version.ts
@@ -112,6 +112,11 @@ export interface TLSVersionGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/bot-class.ts b/src/resources/radar/http/locations/bot-class.ts
index b3577bf61e..665da71cb5 100644
--- a/src/resources/radar/http/locations/bot-class.ts
+++ b/src/resources/radar/http/locations/bot-class.ts
@@ -108,6 +108,11 @@ export interface BotClassGetParams {
*/
asn?: Array;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/device-type.ts b/src/resources/radar/http/locations/device-type.ts
index 9ff67beef2..0841b18a25 100644
--- a/src/resources/radar/http/locations/device-type.ts
+++ b/src/resources/radar/http/locations/device-type.ts
@@ -112,6 +112,11 @@ export interface DeviceTypeGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/http-method.ts b/src/resources/radar/http/locations/http-method.ts
index e919bf62a6..336c77445d 100644
--- a/src/resources/radar/http/locations/http-method.ts
+++ b/src/resources/radar/http/locations/http-method.ts
@@ -112,6 +112,11 @@ export interface HTTPMethodGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/http-protocol.ts b/src/resources/radar/http/locations/http-protocol.ts
index fdde531f18..c77346866e 100644
--- a/src/resources/radar/http/locations/http-protocol.ts
+++ b/src/resources/radar/http/locations/http-protocol.ts
@@ -112,6 +112,11 @@ export interface HTTPProtocolGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/ip-version.ts b/src/resources/radar/http/locations/ip-version.ts
index f2f70180b9..b8e2977904 100644
--- a/src/resources/radar/http/locations/ip-version.ts
+++ b/src/resources/radar/http/locations/ip-version.ts
@@ -109,6 +109,11 @@ export interface IPVersionGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/locations.ts b/src/resources/radar/http/locations/locations.ts
index 36d4d2e417..631f096fc9 100644
--- a/src/resources/radar/http/locations/locations.ts
+++ b/src/resources/radar/http/locations/locations.ts
@@ -118,6 +118,11 @@ export interface LocationGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/os.ts b/src/resources/radar/http/locations/os.ts
index a3e8e4e1c3..a80630c5c4 100644
--- a/src/resources/radar/http/locations/os.ts
+++ b/src/resources/radar/http/locations/os.ts
@@ -111,6 +111,11 @@ export interface OSGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/locations/tls-version.ts b/src/resources/radar/http/locations/tls-version.ts
index 1cf5a326f8..0c8c39e450 100644
--- a/src/resources/radar/http/locations/tls-version.ts
+++ b/src/resources/radar/http/locations/tls-version.ts
@@ -112,6 +112,11 @@ export interface TLSVersionGetParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/radar/http/top.ts b/src/resources/radar/http/top.ts
index 5d427403fe..15c91c12ee 100644
--- a/src/resources/radar/http/top.ts
+++ b/src/resources/radar/http/top.ts
@@ -178,6 +178,11 @@ export interface TopBrowserFamiliesParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
@@ -285,6 +290,11 @@ export interface TopBrowsersParams {
*/
botClass?: Array<'LIKELY_AUTOMATED' | 'LIKELY_HUMAN'>;
+ /**
+ * Filter for browser family.
+ */
+ browserFamily?: Array<'CHROME' | 'EDGE' | 'FIREFOX' | 'SAFARI'>;
+
/**
* Array of comma separated list of continents (alpha-2 continent codes). Start
* with `-` to exclude from results. For example, `-EU,NA` excludes results from
diff --git a/src/resources/rulesets/phases/phases.ts b/src/resources/rulesets/phases/phases.ts
index b581ee6b85..349bb66989 100644
--- a/src/resources/rulesets/phases/phases.ts
+++ b/src/resources/rulesets/phases/phases.ts
@@ -137,6 +137,7 @@ export interface PhaseUpdateResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | PhaseUpdateResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -150,6 +151,119 @@ export interface PhaseUpdateResponse {
description?: string;
}
+export namespace PhaseUpdateResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
/**
* A ruleset object.
*/
@@ -198,6 +312,7 @@ export interface PhaseGetResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | PhaseGetResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -211,6 +326,119 @@ export interface PhaseGetResponse {
description?: string;
}
+export namespace PhaseGetResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface PhaseUpdateParams {
/**
* Body param: The list of rules in the ruleset.
@@ -231,6 +459,7 @@ export interface PhaseUpdateParams {
| RulesAPI.SetConfigRuleParam
| RulesAPI.SkipRuleParam
| RulesAPI.SetCacheSettingsRuleParam
+ | PhaseUpdateParams.RulesetsLogCustomFieldRule
>;
/**
@@ -266,6 +495,104 @@ export interface PhaseUpdateParams {
phase?: RulesetsAPI.PhaseParam;
}
+export namespace PhaseUpdateParams {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.LoggingParam;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface PhaseGetParams {
/**
* The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
diff --git a/src/resources/rulesets/phases/versions.ts b/src/resources/rulesets/phases/versions.ts
index 01c180bd21..1a4cb47b84 100644
--- a/src/resources/rulesets/phases/versions.ts
+++ b/src/resources/rulesets/phases/versions.ts
@@ -151,6 +151,7 @@ export interface VersionGetResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | VersionGetResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -164,6 +165,119 @@ export interface VersionGetResponse {
description?: string;
}
+export namespace VersionGetResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface VersionListParams {
/**
* The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
diff --git a/src/resources/rulesets/rules.ts b/src/resources/rulesets/rules.ts
index 1aaab09a72..baa68886f9 100644
--- a/src/resources/rulesets/rules.ts
+++ b/src/resources/rulesets/rules.ts
@@ -3171,18 +3171,28 @@ export namespace SetConfigRule {
/**
* Turn off all active Cloudflare Apps.
*/
- disable_apps?: boolean;
+ disable_apps?: true;
+
+ /**
+ * Turn off Real User Monitoring (RUM).
+ */
+ disable_rum?: true;
/**
* Turn off Zaraz.
*/
- disable_zaraz?: boolean;
+ disable_zaraz?: true;
/**
* Turn on or off Email Obfuscation.
*/
email_obfuscation?: boolean;
+ /**
+ * Turn on or off Cloudflare Fonts.
+ */
+ fonts?: boolean;
+
/**
* Turn on or off the Hotlink Protection.
*/
@@ -3317,18 +3327,28 @@ export namespace SetConfigRuleParam {
/**
* Turn off all active Cloudflare Apps.
*/
- disable_apps?: boolean;
+ disable_apps?: true;
+
+ /**
+ * Turn off Real User Monitoring (RUM).
+ */
+ disable_rum?: true;
/**
* Turn off Zaraz.
*/
- disable_zaraz?: boolean;
+ disable_zaraz?: true;
/**
* Turn on or off Email Obfuscation.
*/
email_obfuscation?: boolean;
+ /**
+ * Turn on or off Cloudflare Fonts.
+ */
+ fonts?: boolean;
+
/**
* Turn on or off the Hotlink Protection.
*/
@@ -3617,6 +3637,7 @@ export interface RuleCreateResponse {
| SetConfigRule
| SkipRule
| SetCacheSettingsRule
+ | RuleCreateResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -3630,6 +3651,119 @@ export interface RuleCreateResponse {
description?: string;
}
+export namespace RuleCreateResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
/**
* A ruleset object.
*/
@@ -3678,6 +3812,7 @@ export interface RuleDeleteResponse {
| SetConfigRule
| SkipRule
| SetCacheSettingsRule
+ | RuleDeleteResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -3691,6 +3826,119 @@ export interface RuleDeleteResponse {
description?: string;
}
+export namespace RuleDeleteResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
/**
* A ruleset object.
*/
@@ -3739,6 +3987,7 @@ export interface RuleEditResponse {
| SetConfigRule
| SkipRule
| SetCacheSettingsRule
+ | RuleEditResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -3752,6 +4001,119 @@ export interface RuleEditResponse {
description?: string;
}
+export namespace RuleEditResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export type RuleCreateParams =
| RuleCreateParams.BlockRule
| RuleCreateParams.ChallengeRule
@@ -3767,7 +4129,8 @@ export type RuleCreateParams =
| RuleCreateParams.ServeErrorRule
| RuleCreateParams.SetConfigRule
| RuleCreateParams.SkipRule
- | RuleCreateParams.SetCacheSettingsRule;
+ | RuleCreateParams.SetCacheSettingsRule
+ | RuleCreateParams.RulesetsLogCustomFieldRule;
export namespace RuleCreateParams {
export interface BlockRule {
@@ -4900,18 +5263,28 @@ export namespace RuleCreateParams {
/**
* Turn off all active Cloudflare Apps.
*/
- disable_apps?: boolean;
+ disable_apps?: true;
+
+ /**
+ * Turn off Real User Monitoring (RUM).
+ */
+ disable_rum?: true;
/**
* Turn off Zaraz.
*/
- disable_zaraz?: boolean;
+ disable_zaraz?: true;
/**
* Turn on or off Email Obfuscation.
*/
email_obfuscation?: boolean;
+ /**
+ * Turn on or off Cloudflare Fonts.
+ */
+ fonts?: boolean;
+
/**
* Turn on or off the Hotlink Protection.
*/
@@ -5502,6 +5875,114 @@ export namespace RuleCreateParams {
}
}
}
+
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * Path param: The Account ID to use for this endpoint. Mutually exclusive with the
+ * Zone ID.
+ */
+ account_id?: string;
+
+ /**
+ * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the
+ * Account ID.
+ */
+ zone_id?: string;
+
+ /**
+ * Body param: The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * Body param: The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * Body param: The parameters configuring the rule's action.
+ */
+ action_parameters?: RuleCreateParams.RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * Body param: An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Body param: Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * Body param: The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * Body param: An object configuring the rule's logging behavior.
+ */
+ logging?: LoggingParam;
+
+ /**
+ * Body param: The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
}
export interface RuleDeleteParams {
@@ -5531,7 +6012,8 @@ export type RuleEditParams =
| RuleEditParams.ServeErrorRule
| RuleEditParams.SetConfigRule
| RuleEditParams.SkipRule
- | RuleEditParams.SetCacheSettingsRule;
+ | RuleEditParams.SetCacheSettingsRule
+ | RuleEditParams.RulesetsLogCustomFieldRule;
export namespace RuleEditParams {
export interface BlockRule {
@@ -6664,18 +7146,28 @@ export namespace RuleEditParams {
/**
* Turn off all active Cloudflare Apps.
*/
- disable_apps?: boolean;
+ disable_apps?: true;
+
+ /**
+ * Turn off Real User Monitoring (RUM).
+ */
+ disable_rum?: true;
/**
* Turn off Zaraz.
*/
- disable_zaraz?: boolean;
+ disable_zaraz?: true;
/**
* Turn on or off Email Obfuscation.
*/
email_obfuscation?: boolean;
+ /**
+ * Turn on or off Cloudflare Fonts.
+ */
+ fonts?: boolean;
+
/**
* Turn on or off the Hotlink Protection.
*/
@@ -7266,6 +7758,114 @@ export namespace RuleEditParams {
}
}
}
+
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * Path param: The Account ID to use for this endpoint. Mutually exclusive with the
+ * Zone ID.
+ */
+ account_id?: string;
+
+ /**
+ * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the
+ * Account ID.
+ */
+ zone_id?: string;
+
+ /**
+ * Body param: The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * Body param: The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * Body param: The parameters configuring the rule's action.
+ */
+ action_parameters?: RuleEditParams.RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * Body param: An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Body param: Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * Body param: The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * Body param: An object configuring the rule's logging behavior.
+ */
+ logging?: LoggingParam;
+
+ /**
+ * Body param: The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
}
export namespace Rules {
diff --git a/src/resources/rulesets/rulesets.ts b/src/resources/rulesets/rulesets.ts
index ffbe321501..87d201a7d9 100644
--- a/src/resources/rulesets/rulesets.ts
+++ b/src/resources/rulesets/rulesets.ts
@@ -354,6 +354,7 @@ export interface RulesetCreateResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | RulesetCreateResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -367,6 +368,119 @@ export interface RulesetCreateResponse {
description?: string;
}
+export namespace RulesetCreateResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
/**
* A ruleset object.
*/
@@ -415,6 +529,7 @@ export interface RulesetUpdateResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | RulesetUpdateResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -428,6 +543,119 @@ export interface RulesetUpdateResponse {
description?: string;
}
+export namespace RulesetUpdateResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
/**
* A ruleset object.
*/
@@ -476,6 +704,7 @@ export interface RulesetGetResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | RulesetGetResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -489,6 +718,119 @@ export interface RulesetGetResponse {
description?: string;
}
+export namespace RulesetGetResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface RulesetCreateParams {
/**
* Body param: The kind of the ruleset.
@@ -524,6 +866,7 @@ export interface RulesetCreateParams {
| RulesAPI.SetConfigRuleParam
| RulesAPI.SkipRuleParam
| RulesAPI.SetCacheSettingsRuleParam
+ | RulesetCreateParams.RulesetsLogCustomFieldRule
>;
/**
@@ -544,6 +887,104 @@ export interface RulesetCreateParams {
description?: string;
}
+export namespace RulesetCreateParams {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.LoggingParam;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface RulesetUpdateParams {
/**
* Body param: The list of rules in the ruleset.
@@ -564,6 +1005,7 @@ export interface RulesetUpdateParams {
| RulesAPI.SetConfigRuleParam
| RulesAPI.SkipRuleParam
| RulesAPI.SetCacheSettingsRuleParam
+ | RulesetUpdateParams.RulesetsLogCustomFieldRule
>;
/**
@@ -599,6 +1041,104 @@ export interface RulesetUpdateParams {
phase?: PhaseParam;
}
+export namespace RulesetUpdateParams {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.LoggingParam;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface RulesetListParams {
/**
* The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
diff --git a/src/resources/rulesets/versions/by-tag.ts b/src/resources/rulesets/versions/by-tag.ts
index 7089f9b90d..8274986908 100644
--- a/src/resources/rulesets/versions/by-tag.ts
+++ b/src/resources/rulesets/versions/by-tag.ts
@@ -75,6 +75,7 @@ export interface ByTagGetResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | ByTagGetResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -88,6 +89,119 @@ export interface ByTagGetResponse {
description?: string;
}
+export namespace ByTagGetResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface ByTagGetParams {
/**
* The unique ID of the account.
diff --git a/src/resources/rulesets/versions/versions.ts b/src/resources/rulesets/versions/versions.ts
index c493777578..4bbb039ed6 100644
--- a/src/resources/rulesets/versions/versions.ts
+++ b/src/resources/rulesets/versions/versions.ts
@@ -196,6 +196,7 @@ export interface VersionGetResponse {
| RulesAPI.SetConfigRule
| RulesAPI.SkipRule
| RulesAPI.SetCacheSettingsRule
+ | VersionGetResponse.RulesetsLogCustomFieldRule
>;
/**
@@ -209,6 +210,119 @@ export interface VersionGetResponse {
description?: string;
}
+export namespace VersionGetResponse {
+ export interface RulesetsLogCustomFieldRule {
+ /**
+ * The timestamp of when the rule was last modified.
+ */
+ last_updated: string;
+
+ /**
+ * The version of the rule.
+ */
+ version: string;
+
+ /**
+ * The unique ID of the rule.
+ */
+ id?: string;
+
+ /**
+ * The action to perform when the rule matches.
+ */
+ action?: 'log_custom_field';
+
+ /**
+ * The parameters configuring the rule's action.
+ */
+ action_parameters?: RulesetsLogCustomFieldRule.ActionParameters;
+
+ /**
+ * The categories of the rule.
+ */
+ categories?: Array;
+
+ /**
+ * An informative description of the rule.
+ */
+ description?: string;
+
+ /**
+ * Whether the rule should be executed.
+ */
+ enabled?: boolean;
+
+ /**
+ * The expression defining which traffic will match the rule.
+ */
+ expression?: string;
+
+ /**
+ * An object configuring the rule's logging behavior.
+ */
+ logging?: RulesAPI.Logging;
+
+ /**
+ * The reference of the rule (the rule ID by default).
+ */
+ ref?: string;
+ }
+
+ export namespace RulesetsLogCustomFieldRule {
+ /**
+ * The parameters configuring the rule's action.
+ */
+ export interface ActionParameters {
+ /**
+ * The cookie fields to log.
+ */
+ cookie_fields?: Array;
+
+ /**
+ * The request fields to log.
+ */
+ request_fields?: Array;
+
+ /**
+ * The response fields to log.
+ */
+ response_fields?: Array;
+ }
+
+ export namespace ActionParameters {
+ /**
+ * The cookie field to log.
+ */
+ export interface CookieField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The request field to log.
+ */
+ export interface RequestField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+
+ /**
+ * The response field to log.
+ */
+ export interface ResponseField {
+ /**
+ * The name of the field.
+ */
+ name: string;
+ }
+ }
+ }
+}
+
export interface VersionListParams {
/**
* The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.
diff --git a/src/resources/zero-trust/access/access.ts b/src/resources/zero-trust/access/access.ts
index ac2650c9c8..5fee574329 100644
--- a/src/resources/zero-trust/access/access.ts
+++ b/src/resources/zero-trust/access/access.ts
@@ -739,9 +739,13 @@ export namespace Access {
export import SaaSAppSource = ApplicationsAPI.SaaSAppSource;
export import SAMLSaaSApp = ApplicationsAPI.SAMLSaaSApp;
export import SelfHostedDomains = ApplicationsAPI.SelfHostedDomains;
+ export import ApplicationCreateResponse = ApplicationsAPI.ApplicationCreateResponse;
+ export import ApplicationUpdateResponse = ApplicationsAPI.ApplicationUpdateResponse;
+ export import ApplicationListResponse = ApplicationsAPI.ApplicationListResponse;
export import ApplicationDeleteResponse = ApplicationsAPI.ApplicationDeleteResponse;
+ export import ApplicationGetResponse = ApplicationsAPI.ApplicationGetResponse;
export import ApplicationRevokeTokensResponse = ApplicationsAPI.ApplicationRevokeTokensResponse;
- export import ApplicationsSinglePage = ApplicationsAPI.ApplicationsSinglePage;
+ export import ApplicationListResponsesSinglePage = ApplicationsAPI.ApplicationListResponsesSinglePage;
export import ApplicationCreateParams = ApplicationsAPI.ApplicationCreateParams;
export import ApplicationUpdateParams = ApplicationsAPI.ApplicationUpdateParams;
export import ApplicationListParams = ApplicationsAPI.ApplicationListParams;
diff --git a/src/resources/zero-trust/access/applications/applications.ts b/src/resources/zero-trust/access/applications/applications.ts
index 9701e47f83..11bfc85c42 100644
--- a/src/resources/zero-trust/access/applications/applications.ts
+++ b/src/resources/zero-trust/access/applications/applications.ts
@@ -5,6 +5,7 @@ import { APIResource } from 'cloudflare/resource';
import { isRequestOptions } from 'cloudflare/core';
import { CloudflareError } from 'cloudflare/error';
import * as ApplicationsAPI from 'cloudflare/resources/zero-trust/access/applications/applications';
+import * as AccessAPI from 'cloudflare/resources/zero-trust/access/access';
import * as CAsAPI from 'cloudflare/resources/zero-trust/access/applications/cas';
import * as PoliciesAPI from 'cloudflare/resources/zero-trust/access/applications/policies';
import * as UserPolicyChecksAPI from 'cloudflare/resources/zero-trust/access/applications/user-policy-checks';
@@ -20,7 +21,10 @@ export class Applications extends APIResource {
/**
* Adds a new application to Access.
*/
- create(params: ApplicationCreateParams, options?: Core.RequestOptions): Core.APIPromise {
+ create(
+ params: ApplicationCreateParams,
+ options?: Core.RequestOptions,
+ ): Core.APIPromise {
const { account_id, zone_id, ...body } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
@@ -42,7 +46,7 @@ export class Applications extends APIResource {
this._client.post(`/${accountOrZone}/${accountOrZoneId}/access/apps`, {
body,
...options,
- }) as Core.APIPromise<{ result: Application }>
+ }) as Core.APIPromise<{ result: ApplicationCreateResponse }>
)._thenUnwrap((obj) => obj.result);
}
@@ -53,7 +57,7 @@ export class Applications extends APIResource {
appId: AppIDParam,
params: ApplicationUpdateParams,
options?: Core.RequestOptions,
- ): Core.APIPromise {
+ ): Core.APIPromise {
const { account_id, zone_id, ...body } = params;
if (!account_id && !zone_id) {
throw new CloudflareError('You must provide either account_id or zone_id.');
@@ -75,7 +79,7 @@ export class Applications extends APIResource {
this._client.put(`/${accountOrZone}/${accountOrZoneId}/access/apps/${appId}`, {
body,
...options,
- }) as Core.APIPromise<{ result: Application }>
+ }) as Core.APIPromise<{ result: ApplicationUpdateResponse }>
)._thenUnwrap((obj) => obj.result);
}
@@ -85,12 +89,14 @@ export class Applications extends APIResource {
list(
params?: ApplicationListParams,
options?: Core.RequestOptions,
- ): Core.PagePromise;
- list(options?: Core.RequestOptions): Core.PagePromise;
+ ): Core.PagePromise;
+ list(
+ options?: Core.RequestOptions,
+ ): Core.PagePromise;
list(
params: ApplicationListParams | Core.RequestOptions = {},
options?: Core.RequestOptions,
- ): Core.PagePromise {
+ ): Core.PagePromise {
if (isRequestOptions(params)) {
return this.list({}, params);
}
@@ -113,7 +119,7 @@ export class Applications extends APIResource {
};
return this._client.getAPIList(
`/${accountOrZone}/${accountOrZoneId}/access/apps`,
- ApplicationsSinglePage,
+ ApplicationListResponsesSinglePage,
options,
);
}
@@ -167,13 +173,13 @@ export class Applications extends APIResource {
appId: AppIDParam,
params?: ApplicationGetParams,
options?: Core.RequestOptions,
- ): Core.APIPromise;
- get(appId: AppIDParam, options?: Core.RequestOptions): Core.APIPromise;
+ ): Core.APIPromise;
+ get(appId: AppIDParam, options?: Core.RequestOptions): Core.APIPromise;
get(
appId: AppIDParam,
params: ApplicationGetParams | Core.RequestOptions = {},
options?: Core.RequestOptions,
- ): Core.APIPromise {
+ ): Core.APIPromise {
if (isRequestOptions(params)) {
return this.get(appId, {}, params);
}
@@ -198,7 +204,7 @@ export class Applications extends APIResource {
this._client.get(
`/${accountOrZone}/${accountOrZoneId}/access/apps/${appId}`,
options,
- ) as Core.APIPromise<{ result: Application }>
+ ) as Core.APIPromise<{ result: ApplicationGetResponse }>
)._thenUnwrap((obj) => obj.result);
}
@@ -248,7 +254,7 @@ export class Applications extends APIResource {
}
}
-export class ApplicationsSinglePage extends SinglePage {}
+export class ApplicationListResponsesSinglePage extends SinglePage {}
export type AllowedHeaders = string;
@@ -313,8 +319,7 @@ export type Application =
export namespace Application {
export interface SelfHostedApplication {
/**
- * The primary hostname and path that Access will secure. If the app is visible in
- * the App Launcher dashboard, this is the domain that will be displayed.
+ * The domain and path that Access will secure.
*/
domain: string;
@@ -328,14 +333,6 @@ export namespace Application {
*/
id?: string;
- /**
- * When set to true, users can authenticate to this application using their WARP
- * session. When set to false this application will always require direct IdP
- * authentication. This setting always overrides the organization setting for WARP
- * authentication.
- */
- allow_authenticate_via_warp?: boolean;
-
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
@@ -358,7 +355,7 @@ export namespace Application {
*/
auto_redirect_to_identity?: boolean;
- cors_headers?: ApplicationsAPI.CORSHeaders;
+ cors_headers?: SelfHostedApplication.CORSHeaders;
created_at?: string;
@@ -370,21 +367,10 @@ export namespace Application {
/**
* The custom URL a user is redirected to when they are denied access to the
- * application when failing identity-based rules.
+ * application.
*/
custom_deny_url?: string;
- /**
- * The custom URL a user is redirected to when they are denied access to the
- * application when failing non-identity rules.
- */
- custom_non_identity_deny_url?: string;
-
- /**
- * The custom pages that will be displayed when applicable for this application
- */
- custom_pages?: Array;
-
/**
* Enables the binding cookie, which increases security against compromised
* authorization tokens and CSRF attacks.
@@ -413,12 +399,6 @@ export namespace Application {
*/
options_preflight_bypass?: boolean;
- /**
- * Enables cookie paths to scope an application's JWT to the application path. If
- * disabled, the JWT will scope to the hostname by default
- */
- path_cookie_attribute?: boolean;
-
/**
* Sets the SameSite cookie setting, which provides increased security against CSRF
* attacks.
@@ -426,9 +406,10 @@ export namespace Application {
same_site_cookie_attribute?: string;
/**
- * List of domains that Access will secure.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- self_hosted_domains?: Array;
+ scim_config?: SelfHostedApplication.ScimConfig;
/**
* Returns a 401 status code when the request is blocked by a Service Auth policy.
@@ -447,13 +428,231 @@ export namespace Application {
*/
skip_interstitial?: boolean;
+ updated_at?: string;
+ }
+
+ export namespace SelfHostedApplication {
+ export interface CORSHeaders {
+ /**
+ * Allows all HTTP request headers.
+ */
+ allow_all_headers?: boolean;
+
+ /**
+ * Allows all HTTP request methods.
+ */
+ allow_all_methods?: boolean;
+
+ /**
+ * Allows all origins.
+ */
+ allow_all_origins?: boolean;
+
+ /**
+ * When set to `true`, includes credentials (cookies, authorization headers, or TLS
+ * client certificates) with requests.
+ */
+ allow_credentials?: boolean;
+
+ /**
+ * Allowed HTTP request headers.
+ */
+ allowed_headers?: Array;
+
+ /**
+ * Allowed HTTP request methods.
+ */
+ allowed_methods?: Array;
+
+ /**
+ * Allowed origins.
+ */
+ allowed_origins?: Array;
+
+ /**
+ * The maximum number of seconds the results of a preflight request can be cached.
+ */
+ max_age?: number;
+ }
+
/**
- * The tags you want assigned to an application. Tags are used to filter
- * applications in the App Launcher dashboard.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- tags?: Array;
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
- updated_at?: string;
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
}
export interface SaaSApplication {
@@ -486,11 +685,6 @@ export namespace Application {
created_at?: string;
- /**
- * The custom pages that will be displayed when applicable for this application
- */
- custom_pages?: Array;
-
/**
* The image URL for the logo shown in the App Launcher dashboard.
*/
@@ -501,13 +695,13 @@ export namespace Application {
*/
name?: string;
- saas_app?: ApplicationsAPI.SAMLSaaSApp | SaaSApplication.AccessOIDCSaaSApp;
+ saas_app?: SaaSApplication.AccessSchemasSAMLSaaSApp | SaaSApplication.AccessSchemasOIDCSaaSApp;
/**
- * The tags you want assigned to an application. Tags are used to filter
- * applications in the App Launcher dashboard.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- tags?: Array;
+ scim_config?: SaaSApplication.ScimConfig;
/**
* The application type.
@@ -518,7 +712,92 @@ export namespace Application {
}
export namespace SaaSApplication {
- export interface AccessOIDCSaaSApp {
+ export interface AccessSchemasSAMLSaaSApp {
+ /**
+ * Optional identifier indicating the authentication protocol used for the saas
+ * app. Required for OIDC. Default if unset is "saml"
+ */
+ auth_type?: 'saml' | 'oidc';
+
+ /**
+ * The service provider's endpoint that is responsible for receiving and parsing a
+ * SAML assertion.
+ */
+ consumer_service_url?: string;
+
+ created_at?: string;
+
+ custom_attributes?: AccessSchemasSAMLSaaSApp.CustomAttributes;
+
+ /**
+ * The unique identifier for your SaaS application.
+ */
+ idp_entity_id?: string;
+
+ /**
+ * The format of the name identifier sent to the SaaS application.
+ */
+ name_id_format?: ApplicationsAPI.SaaSAppNameIDFormat;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms an application's
+ * user identities into a NameID value for its SAML assertion. This expression
+ * should evaluate to a singular string. The output of this expression can override
+ * the `name_id_format` setting.
+ */
+ name_id_transform_jsonata?: string;
+
+ /**
+ * The Access public certificate that will be used to verify your identity.
+ */
+ public_key?: string;
+
+ /**
+ * A globally unique name for an identity or service provider.
+ */
+ sp_entity_id?: string;
+
+ /**
+ * The endpoint where your SaaS application will send login requests.
+ */
+ sso_endpoint?: string;
+
+ updated_at?: string;
+ }
+
+ export namespace AccessSchemasSAMLSaaSApp {
+ export interface CustomAttributes {
+ /**
+ * The SAML FriendlyName of the attribute.
+ */
+ friendly_name?: string;
+
+ /**
+ * The name of the attribute.
+ */
+ name?: string;
+
+ /**
+ * A globally unique name for an identity or service provider.
+ */
+ name_format?: ApplicationsAPI.SaaSAppNameFormat;
+
+ /**
+ * If the attribute is required when building a SAML assertion.
+ */
+ required?: boolean;
+
+ source?: ApplicationsAPI.SaaSAppSource;
+ }
+ }
+
+ export interface AccessSchemasOIDCSaaSApp {
+ /**
+ * If client secret should be required on the token endpoint when
+ * authorization_code_with_pkce grant is used.
+ */
+ allow_pkce_without_client_secret?: boolean;
+
/**
* The URL where this applications tile redirects users
*/
@@ -542,15 +821,15 @@ export namespace Application {
created_at?: string;
- custom_claims?: AccessOIDCSaaSApp.CustomClaims;
+ custom_claims?: AccessSchemasOIDCSaaSApp.CustomClaims;
/**
* The OIDC flows supported by this application
*/
- grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce'>;
+ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens'>;
/**
- * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
+ * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint.
*/
group_filter_regex?: string;
@@ -565,15 +844,18 @@ export namespace Application {
*/
redirect_uris?: Array;
+ refresh_token_options?: AccessSchemasOIDCSaaSApp.RefreshTokenOptions;
+
/**
- * Define the user information shared with access
+ * Define the user information shared with access, "offline_access" scope will be
+ * automatically enabled if refresh tokens are enabled
*/
scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>;
updated_at?: string;
}
- export namespace AccessOIDCSaaSApp {
+ export namespace AccessSchemasOIDCSaaSApp {
export interface CustomClaims {
/**
* The name of the claim.
@@ -606,33 +888,211 @@ export namespace Application {
name?: string;
}
}
- }
- }
- export interface BrowserSSHApplication {
- /**
- * The primary hostname and path that Access will secure. If the app is visible in
- * the App Launcher dashboard, this is the domain that will be displayed.
- */
- domain: string;
+ export interface RefreshTokenOptions {
+ /**
+ * How long a refresh token will be valid for after creation. Valid units are
+ * m,h,d. Must be longer than 1m.
+ */
+ lifetime?: string;
+ }
+ }
/**
- * The application type.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- type: string;
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
- /**
- * UUID
- */
- id?: string;
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
- /**
- * When set to true, users can authenticate to this application using their WARP
- * session. When set to false this application will always require direct IdP
- * authentication. This setting always overrides the organization setting for WARP
- * authentication.
- */
- allow_authenticate_via_warp?: boolean;
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BrowserSSHApplication {
+ /**
+ * The domain and path that Access will secure.
+ */
+ domain: string;
+
+ /**
+ * The application type.
+ */
+ type: string;
+
+ /**
+ * UUID
+ */
+ id?: string;
/**
* The identity providers your users can select when connecting to this
@@ -656,7 +1116,7 @@ export namespace Application {
*/
auto_redirect_to_identity?: boolean;
- cors_headers?: ApplicationsAPI.CORSHeaders;
+ cors_headers?: BrowserSSHApplication.CORSHeaders;
created_at?: string;
@@ -668,21 +1128,10 @@ export namespace Application {
/**
* The custom URL a user is redirected to when they are denied access to the
- * application when failing identity-based rules.
+ * application.
*/
custom_deny_url?: string;
- /**
- * The custom URL a user is redirected to when they are denied access to the
- * application when failing non-identity rules.
- */
- custom_non_identity_deny_url?: string;
-
- /**
- * The custom pages that will be displayed when applicable for this application
- */
- custom_pages?: Array;
-
/**
* Enables the binding cookie, which increases security against compromised
* authorization tokens and CSRF attacks.
@@ -711,12 +1160,6 @@ export namespace Application {
*/
options_preflight_bypass?: boolean;
- /**
- * Enables cookie paths to scope an application's JWT to the application path. If
- * disabled, the JWT will scope to the hostname by default
- */
- path_cookie_attribute?: boolean;
-
/**
* Sets the SameSite cookie setting, which provides increased security against CSRF
* attacks.
@@ -724,9 +1167,10 @@ export namespace Application {
same_site_cookie_attribute?: string;
/**
- * List of domains that Access will secure.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- self_hosted_domains?: Array;
+ scim_config?: BrowserSSHApplication.ScimConfig;
/**
* Returns a 401 status code when the request is blocked by a Service Auth policy.
@@ -745,19 +1189,236 @@ export namespace Application {
*/
skip_interstitial?: boolean;
+ updated_at?: string;
+ }
+
+ export namespace BrowserSSHApplication {
+ export interface CORSHeaders {
+ /**
+ * Allows all HTTP request headers.
+ */
+ allow_all_headers?: boolean;
+
+ /**
+ * Allows all HTTP request methods.
+ */
+ allow_all_methods?: boolean;
+
+ /**
+ * Allows all origins.
+ */
+ allow_all_origins?: boolean;
+
+ /**
+ * When set to `true`, includes credentials (cookies, authorization headers, or TLS
+ * client certificates) with requests.
+ */
+ allow_credentials?: boolean;
+
+ /**
+ * Allowed HTTP request headers.
+ */
+ allowed_headers?: Array;
+
+ /**
+ * Allowed HTTP request methods.
+ */
+ allowed_methods?: Array;
+
+ /**
+ * Allowed origins.
+ */
+ allowed_origins?: Array;
+
+ /**
+ * The maximum number of seconds the results of a preflight request can be cached.
+ */
+ max_age?: number;
+ }
+
/**
- * The tags you want assigned to an application. Tags are used to filter
- * applications in the App Launcher dashboard.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- tags?: Array;
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
- updated_at?: string;
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
}
export interface BrowserVncApplication {
/**
- * The primary hostname and path that Access will secure. If the app is visible in
- * the App Launcher dashboard, this is the domain that will be displayed.
+ * The domain and path that Access will secure.
*/
domain: string;
@@ -771,14 +1432,6 @@ export namespace Application {
*/
id?: string;
- /**
- * When set to true, users can authenticate to this application using their WARP
- * session. When set to false this application will always require direct IdP
- * authentication. This setting always overrides the organization setting for WARP
- * authentication.
- */
- allow_authenticate_via_warp?: boolean;
-
/**
* The identity providers your users can select when connecting to this
* application. Defaults to all IdPs configured in your account.
@@ -801,7 +1454,7 @@ export namespace Application {
*/
auto_redirect_to_identity?: boolean;
- cors_headers?: ApplicationsAPI.CORSHeaders;
+ cors_headers?: BrowserVncApplication.CORSHeaders;
created_at?: string;
@@ -813,21 +1466,10 @@ export namespace Application {
/**
* The custom URL a user is redirected to when they are denied access to the
- * application when failing identity-based rules.
+ * application.
*/
custom_deny_url?: string;
- /**
- * The custom URL a user is redirected to when they are denied access to the
- * application when failing non-identity rules.
- */
- custom_non_identity_deny_url?: string;
-
- /**
- * The custom pages that will be displayed when applicable for this application
- */
- custom_pages?: Array;
-
/**
* Enables the binding cookie, which increases security against compromised
* authorization tokens and CSRF attacks.
@@ -856,12 +1498,6 @@ export namespace Application {
*/
options_preflight_bypass?: boolean;
- /**
- * Enables cookie paths to scope an application's JWT to the application path. If
- * disabled, the JWT will scope to the hostname by default
- */
- path_cookie_attribute?: boolean;
-
/**
* Sets the SameSite cookie setting, which provides increased security against CSRF
* attacks.
@@ -869,9 +1505,10 @@ export namespace Application {
same_site_cookie_attribute?: string;
/**
- * List of domains that Access will secure.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- self_hosted_domains?: Array;
+ scim_config?: BrowserVncApplication.ScimConfig;
/**
* Returns a 401 status code when the request is blocked by a Service Auth policy.
@@ -890,13 +1527,231 @@ export namespace Application {
*/
skip_interstitial?: boolean;
+ updated_at?: string;
+ }
+
+ export namespace BrowserVncApplication {
+ export interface CORSHeaders {
+ /**
+ * Allows all HTTP request headers.
+ */
+ allow_all_headers?: boolean;
+
+ /**
+ * Allows all HTTP request methods.
+ */
+ allow_all_methods?: boolean;
+
+ /**
+ * Allows all origins.
+ */
+ allow_all_origins?: boolean;
+
+ /**
+ * When set to `true`, includes credentials (cookies, authorization headers, or TLS
+ * client certificates) with requests.
+ */
+ allow_credentials?: boolean;
+
+ /**
+ * Allowed HTTP request headers.
+ */
+ allowed_headers?: Array;
+
+ /**
+ * Allowed HTTP request methods.
+ */
+ allowed_methods?: Array;
+
+ /**
+ * Allowed origins.
+ */
+ allowed_origins?: Array;
+
+ /**
+ * The maximum number of seconds the results of a preflight request can be cached.
+ */
+ max_age?: number;
+ }
+
/**
- * The tags you want assigned to an application. Tags are used to filter
- * applications in the App Launcher dashboard.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- tags?: Array;
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
- updated_at?: string;
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
}
export interface AppLauncherApplication {
@@ -930,8 +1785,7 @@ export namespace Application {
created_at?: string;
/**
- * The primary hostname and path that Access will secure. If the app is visible in
- * the App Launcher dashboard, this is the domain that will be displayed.
+ * The domain and path that Access will secure.
*/
domain?: string;
@@ -940,6 +1794,12 @@ export namespace Application {
*/
name?: string;
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: AppLauncherApplication.ScimConfig;
+
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
@@ -950,6 +1810,187 @@ export namespace Application {
updated_at?: string;
}
+ export namespace AppLauncherApplication {
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
export interface DeviceEnrollmentPermissionsApplication {
/**
* The application type.
@@ -981,8 +2022,7 @@ export namespace Application {
created_at?: string;
/**
- * The primary hostname and path that Access will secure. If the app is visible in
- * the App Launcher dashboard, this is the domain that will be displayed.
+ * The domain and path that Access will secure.
*/
domain?: string;
@@ -991,6 +2031,12 @@ export namespace Application {
*/
name?: string;
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: DeviceEnrollmentPermissionsApplication.ScimConfig;
+
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
@@ -1001,13 +2047,194 @@ export namespace Application {
updated_at?: string;
}
- export interface BrowserIsolationPermissionsApplication {
+ export namespace DeviceEnrollmentPermissionsApplication {
/**
- * The application type.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- type: ApplicationsAPI.ApplicationType;
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
- /**
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BrowserIsolationPermissionsApplication {
+ /**
+ * The application type.
+ */
+ type: ApplicationsAPI.ApplicationType;
+
+ /**
* UUID
*/
id?: string;
@@ -1032,8 +2259,7 @@ export namespace Application {
created_at?: string;
/**
- * The primary hostname and path that Access will secure. If the app is visible in
- * the App Launcher dashboard, this is the domain that will be displayed.
+ * The domain and path that Access will secure.
*/
domain?: string;
@@ -1042,6 +2268,12 @@ export namespace Application {
*/
name?: string;
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: BrowserIsolationPermissionsApplication.ScimConfig;
+
/**
* The amount of time that tokens issued for this application will be valid. Must
* be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
@@ -1052,28 +2284,211 @@ export namespace Application {
updated_at?: string;
}
+ export namespace BrowserIsolationPermissionsApplication {
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
export interface BookmarkApplication {
/**
- * UUID
+ * The URL or domain of the bookmark.
*/
- id?: string;
+ domain: string;
/**
- * Displays the application in the App Launcher.
+ * The application type.
*/
- app_launcher_visible?: boolean;
+ type: string;
/**
- * Audience tag.
+ * UUID
*/
- aud?: string;
+ id?: string;
- created_at?: string;
+ app_launcher_visible?: unknown;
/**
- * The URL or domain of the bookmark.
+ * Audience tag.
*/
- domain?: string;
+ aud?: string;
+
+ created_at?: string;
/**
* The image URL for the logo shown in the App Launcher dashboard.
@@ -1086,42 +2501,218 @@ export namespace Application {
name?: string;
/**
- * The tags you want assigned to an application. Tags are used to filter
- * applications in the App Launcher dashboard.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- tags?: Array;
+ scim_config?: BookmarkApplication.ScimConfig;
+
+ updated_at?: string;
+ }
+ export namespace BookmarkApplication {
/**
- * The application type.
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
*/
- type?: string;
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
- updated_at?: string;
- }
-}
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
-/**
- * The application type.
- */
-export type ApplicationType =
- | 'self_hosted'
- | 'saas'
- | 'ssh'
- | 'vnc'
- | 'app_launcher'
- | 'warp'
- | 'biso'
- | 'bookmark'
- | 'dash_sso';
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
-/**
- * The application type.
- */
-export type ApplicationTypeParam =
- | 'self_hosted'
- | 'saas'
- | 'ssh'
- | 'vnc'
+ /**
+ * If false, we propagate DELETE requests to the target application for SCIM
+ * resources. If true, we only set `active` to false on the SCIM resource. This is
+ * useful because some targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+}
+
+/**
+ * The application type.
+ */
+export type ApplicationType =
+ | 'self_hosted'
+ | 'saas'
+ | 'ssh'
+ | 'vnc'
+ | 'app_launcher'
+ | 'warp'
+ | 'biso'
+ | 'bookmark'
+ | 'dash_sso';
+
+/**
+ * The application type.
+ */
+export type ApplicationTypeParam =
+ | 'self_hosted'
+ | 'saas'
+ | 'ssh'
+ | 'vnc'
| 'app_launcher'
| 'warp'
| 'biso'
@@ -1411,58 +3002,11430 @@ export interface SAMLSaaSAppParam {
*/
saml_attribute_transform_jsonata?: string;
- /**
- * A globally unique name for an identity or service provider.
- */
- sp_entity_id?: string;
+ /**
+ * A globally unique name for an identity or service provider.
+ */
+ sp_entity_id?: string;
+
+ /**
+ * The endpoint where your SaaS application will send login requests.
+ */
+ sso_endpoint?: string;
+}
+
+export namespace SAMLSaaSAppParam {
+ export interface CustomAttributes {
+ /**
+ * The SAML FriendlyName of the attribute.
+ */
+ friendly_name?: string;
+
+ /**
+ * The name of the attribute.
+ */
+ name?: string;
+
+ /**
+ * A globally unique name for an identity or service provider.
+ */
+ name_format?: ApplicationsAPI.SaaSAppNameFormatParam;
+
+ /**
+ * If the attribute is required when building a SAML assertion.
+ */
+ required?: boolean;
+
+ source?: ApplicationsAPI.SaaSAppSourceParam;
+ }
+}
+
+/**
+ * A domain that Access will secure.
+ */
+export type SelfHostedDomains = string;
+
+/**
+ * A domain that Access will secure.
+ */
+export type SelfHostedDomainsParam = string;
+
+export type ApplicationCreateResponse =
+ | ApplicationCreateResponse.SelfHostedApplication
+ | ApplicationCreateResponse.SaaSApplication
+ | ApplicationCreateResponse.BrowserSSHApplication
+ | ApplicationCreateResponse.BrowserVncApplication
+ | ApplicationCreateResponse.AppLauncherApplication
+ | ApplicationCreateResponse.DeviceEnrollmentPermissionsApplication
+ | ApplicationCreateResponse.BrowserIsolationPermissionsApplication
+ | ApplicationCreateResponse.BookmarkApplication;
+
+export namespace ApplicationCreateResponse {
+ export interface SelfHostedApplication {
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain: string;
+
+ /**
+ * The application type.
+ */
+ type: string;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * When set to true, users can authenticate to this application using their WARP
+ * session. When set to false this application will always require direct IdP
+ * authentication. This setting always overrides the organization setting for WARP
+ * authentication.
+ */
+ allow_authenticate_via_warp?: boolean;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ cors_headers?: ApplicationsAPI.CORSHeaders;
+
+ created_at?: string;
+
+ /**
+ * The custom error message shown to a user when they are denied access to the
+ * application.
+ */
+ custom_deny_message?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing identity-based rules.
+ */
+ custom_deny_url?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing non-identity rules.
+ */
+ custom_non_identity_deny_url?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * Enables the binding cookie, which increases security against compromised
+ * authorization tokens and CSRF attacks.
+ */
+ enable_binding_cookie?: boolean;
+
+ /**
+ * Enables the HttpOnly cookie attribute, which increases security against XSS
+ * attacks.
+ */
+ http_only_cookie_attribute?: boolean;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ /**
+ * Allows options preflight requests to bypass Access authentication and go
+ * directly to the origin. Cannot turn on if cors_headers is set.
+ */
+ options_preflight_bypass?: boolean;
+
+ /**
+ * Enables cookie paths to scope an application's JWT to the application path. If
+ * disabled, the JWT will scope to the hostname by default
+ */
+ path_cookie_attribute?: boolean;
+
+ policies?: Array;
+
+ /**
+ * Sets the SameSite cookie setting, which provides increased security against CSRF
+ * attacks.
+ */
+ same_site_cookie_attribute?: string;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: SelfHostedApplication.ScimConfig;
+
+ /**
+ * List of domains that Access will secure.
+ */
+ self_hosted_domains?: Array;
+
+ /**
+ * Returns a 401 status code when the request is blocked by a Service Auth policy.
+ */
+ service_auth_401_redirect?: boolean;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ /**
+ * Enables automatic authentication through cloudflared.
+ */
+ skip_interstitial?: boolean;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ updated_at?: string;
+ }
+
+ export namespace SelfHostedApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface SaaSApplication {
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ policies?: Array;
+
+ saas_app?: ApplicationsAPI.SAMLSaaSApp | SaaSApplication.AccessOIDCSaaSApp;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: SaaSApplication.ScimConfig;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ /**
+ * The application type.
+ */
+ type?: string;
+
+ updated_at?: string;
+ }
+
+ export namespace SaaSApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ export interface AccessOIDCSaaSApp {
+ /**
+ * If client secret should be required on the token endpoint when
+ * authorization_code_with_pkce grant is used.
+ */
+ allow_pkce_without_client_secret?: boolean;
+
+ /**
+ * The URL where this applications tile redirects users
+ */
+ app_launcher_url?: string;
+
+ /**
+ * Identifier of the authentication protocol used for the saas app. Required for
+ * OIDC.
+ */
+ auth_type?: 'saml' | 'oidc';
+
+ /**
+ * The application client id
+ */
+ client_id?: string;
+
+ /**
+ * The application client secret, only returned on POST request.
+ */
+ client_secret?: string;
+
+ created_at?: string;
+
+ custom_claims?: AccessOIDCSaaSApp.CustomClaims;
+
+ /**
+ * The OIDC flows supported by this application
+ */
+ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens'>;
+
+ /**
+ * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
+ */
+ group_filter_regex?: string;
+
+ /**
+ * The Access public certificate that will be used to verify your identity.
+ */
+ public_key?: string;
+
+ /**
+ * The permitted URL's for Cloudflare to return Authorization codes and Access/ID
+ * tokens
+ */
+ redirect_uris?: Array;
+
+ refresh_token_options?: AccessOIDCSaaSApp.RefreshTokenOptions;
+
+ /**
+ * Define the user information shared with access, "offline_access" scope will be
+ * automatically enabled if refresh tokens are enabled
+ */
+ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>;
+
+ updated_at?: string;
+ }
+
+ export namespace AccessOIDCSaaSApp {
+ export interface CustomClaims {
+ /**
+ * The name of the claim.
+ */
+ name?: string;
+
+ /**
+ * A mapping from IdP ID to claim name.
+ */
+ name_by_idp?: Record;
+
+ /**
+ * If the claim is required when building an OIDC token.
+ */
+ required?: boolean;
+
+ /**
+ * The scope of the claim.
+ */
+ scope?: 'groups' | 'profile' | 'email' | 'openid';
+
+ source?: CustomClaims.Source;
+ }
+
+ export namespace CustomClaims {
+ export interface Source {
+ /**
+ * The name of the IdP claim.
+ */
+ name?: string;
+ }
+ }
+
+ export interface RefreshTokenOptions {
+ /**
+ * How long a refresh token will be valid for after creation. Valid units are
+ * m,h,d. Must be longer than 1m.
+ */
+ lifetime?: string;
+ }
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BrowserSSHApplication {
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain: string;
+
+ /**
+ * The application type.
+ */
+ type: string;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * When set to true, users can authenticate to this application using their WARP
+ * session. When set to false this application will always require direct IdP
+ * authentication. This setting always overrides the organization setting for WARP
+ * authentication.
+ */
+ allow_authenticate_via_warp?: boolean;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ cors_headers?: ApplicationsAPI.CORSHeaders;
+
+ created_at?: string;
+
+ /**
+ * The custom error message shown to a user when they are denied access to the
+ * application.
+ */
+ custom_deny_message?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing identity-based rules.
+ */
+ custom_deny_url?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing non-identity rules.
+ */
+ custom_non_identity_deny_url?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * Enables the binding cookie, which increases security against compromised
+ * authorization tokens and CSRF attacks.
+ */
+ enable_binding_cookie?: boolean;
+
+ /**
+ * Enables the HttpOnly cookie attribute, which increases security against XSS
+ * attacks.
+ */
+ http_only_cookie_attribute?: boolean;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ /**
+ * Allows options preflight requests to bypass Access authentication and go
+ * directly to the origin. Cannot turn on if cors_headers is set.
+ */
+ options_preflight_bypass?: boolean;
+
+ /**
+ * Enables cookie paths to scope an application's JWT to the application path. If
+ * disabled, the JWT will scope to the hostname by default
+ */
+ path_cookie_attribute?: boolean;
+
+ policies?: Array;
+
+ /**
+ * Sets the SameSite cookie setting, which provides increased security against CSRF
+ * attacks.
+ */
+ same_site_cookie_attribute?: string;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: BrowserSSHApplication.ScimConfig;
+
+ /**
+ * List of domains that Access will secure.
+ */
+ self_hosted_domains?: Array;
+
+ /**
+ * Returns a 401 status code when the request is blocked by a Service Auth policy.
+ */
+ service_auth_401_redirect?: boolean;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ /**
+ * Enables automatic authentication through cloudflared.
+ */
+ skip_interstitial?: boolean;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ updated_at?: string;
+ }
+
+ export namespace BrowserSSHApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BrowserVncApplication {
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain: string;
+
+ /**
+ * The application type.
+ */
+ type: string;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * When set to true, users can authenticate to this application using their WARP
+ * session. When set to false this application will always require direct IdP
+ * authentication. This setting always overrides the organization setting for WARP
+ * authentication.
+ */
+ allow_authenticate_via_warp?: boolean;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ cors_headers?: ApplicationsAPI.CORSHeaders;
+
+ created_at?: string;
+
+ /**
+ * The custom error message shown to a user when they are denied access to the
+ * application.
+ */
+ custom_deny_message?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing identity-based rules.
+ */
+ custom_deny_url?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing non-identity rules.
+ */
+ custom_non_identity_deny_url?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * Enables the binding cookie, which increases security against compromised
+ * authorization tokens and CSRF attacks.
+ */
+ enable_binding_cookie?: boolean;
+
+ /**
+ * Enables the HttpOnly cookie attribute, which increases security against XSS
+ * attacks.
+ */
+ http_only_cookie_attribute?: boolean;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ /**
+ * Allows options preflight requests to bypass Access authentication and go
+ * directly to the origin. Cannot turn on if cors_headers is set.
+ */
+ options_preflight_bypass?: boolean;
+
+ /**
+ * Enables cookie paths to scope an application's JWT to the application path. If
+ * disabled, the JWT will scope to the hostname by default
+ */
+ path_cookie_attribute?: boolean;
+
+ policies?: Array;
+
+ /**
+ * Sets the SameSite cookie setting, which provides increased security against CSRF
+ * attacks.
+ */
+ same_site_cookie_attribute?: string;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: BrowserVncApplication.ScimConfig;
+
+ /**
+ * List of domains that Access will secure.
+ */
+ self_hosted_domains?: Array;
+
+ /**
+ * Returns a 401 status code when the request is blocked by a Service Auth policy.
+ */
+ service_auth_401_redirect?: boolean;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ /**
+ * Enables automatic authentication through cloudflared.
+ */
+ skip_interstitial?: boolean;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ updated_at?: string;
+ }
+
+ export namespace BrowserVncApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface AppLauncherApplication {
+ /**
+ * The application type.
+ */
+ type: ApplicationsAPI.ApplicationType;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ policies?: Array;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: AppLauncherApplication.ScimConfig;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ export namespace AppLauncherApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface DeviceEnrollmentPermissionsApplication {
+ /**
+ * The application type.
+ */
+ type: ApplicationsAPI.ApplicationType;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ policies?: Array;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: DeviceEnrollmentPermissionsApplication.ScimConfig;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ export namespace DeviceEnrollmentPermissionsApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BrowserIsolationPermissionsApplication {
+ /**
+ * The application type.
+ */
+ type: ApplicationsAPI.ApplicationType;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ policies?: Array;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: BrowserIsolationPermissionsApplication.ScimConfig;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ export namespace BrowserIsolationPermissionsApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BookmarkApplication {
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ created_at?: string;
+
+ /**
+ * The URL or domain of the bookmark.
+ */
+ domain?: string;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: BookmarkApplication.ScimConfig;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ /**
+ * The application type.
+ */
+ type?: string;
+
+ updated_at?: string;
+ }
+
+ export namespace BookmarkApplication {
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+}
+
+export type ApplicationUpdateResponse =
+ | ApplicationUpdateResponse.SelfHostedApplication
+ | ApplicationUpdateResponse.SaaSApplication
+ | ApplicationUpdateResponse.BrowserSSHApplication
+ | ApplicationUpdateResponse.BrowserVncApplication
+ | ApplicationUpdateResponse.AppLauncherApplication
+ | ApplicationUpdateResponse.DeviceEnrollmentPermissionsApplication
+ | ApplicationUpdateResponse.BrowserIsolationPermissionsApplication
+ | ApplicationUpdateResponse.BookmarkApplication;
+
+export namespace ApplicationUpdateResponse {
+ export interface SelfHostedApplication {
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain: string;
+
+ /**
+ * The application type.
+ */
+ type: string;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * When set to true, users can authenticate to this application using their WARP
+ * session. When set to false this application will always require direct IdP
+ * authentication. This setting always overrides the organization setting for WARP
+ * authentication.
+ */
+ allow_authenticate_via_warp?: boolean;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ cors_headers?: ApplicationsAPI.CORSHeaders;
+
+ created_at?: string;
+
+ /**
+ * The custom error message shown to a user when they are denied access to the
+ * application.
+ */
+ custom_deny_message?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing identity-based rules.
+ */
+ custom_deny_url?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing non-identity rules.
+ */
+ custom_non_identity_deny_url?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * Enables the binding cookie, which increases security against compromised
+ * authorization tokens and CSRF attacks.
+ */
+ enable_binding_cookie?: boolean;
+
+ /**
+ * Enables the HttpOnly cookie attribute, which increases security against XSS
+ * attacks.
+ */
+ http_only_cookie_attribute?: boolean;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ /**
+ * Allows options preflight requests to bypass Access authentication and go
+ * directly to the origin. Cannot turn on if cors_headers is set.
+ */
+ options_preflight_bypass?: boolean;
+
+ /**
+ * Enables cookie paths to scope an application's JWT to the application path. If
+ * disabled, the JWT will scope to the hostname by default
+ */
+ path_cookie_attribute?: boolean;
+
+ policies?: Array;
+
+ /**
+ * Sets the SameSite cookie setting, which provides increased security against CSRF
+ * attacks.
+ */
+ same_site_cookie_attribute?: string;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: SelfHostedApplication.ScimConfig;
+
+ /**
+ * List of domains that Access will secure.
+ */
+ self_hosted_domains?: Array;
+
+ /**
+ * Returns a 401 status code when the request is blocked by a Service Auth policy.
+ */
+ service_auth_401_redirect?: boolean;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ /**
+ * Enables automatic authentication through cloudflared.
+ */
+ skip_interstitial?: boolean;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ updated_at?: string;
+ }
+
+ export namespace SelfHostedApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface SaaSApplication {
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ policies?: Array;
+
+ saas_app?: ApplicationsAPI.SAMLSaaSApp | SaaSApplication.AccessOIDCSaaSApp;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: SaaSApplication.ScimConfig;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ /**
+ * The application type.
+ */
+ type?: string;
+
+ updated_at?: string;
+ }
+
+ export namespace SaaSApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ export interface AccessOIDCSaaSApp {
+ /**
+ * If client secret should be required on the token endpoint when
+ * authorization_code_with_pkce grant is used.
+ */
+ allow_pkce_without_client_secret?: boolean;
+
+ /**
+ * The URL where this applications tile redirects users
+ */
+ app_launcher_url?: string;
+
+ /**
+ * Identifier of the authentication protocol used for the saas app. Required for
+ * OIDC.
+ */
+ auth_type?: 'saml' | 'oidc';
+
+ /**
+ * The application client id
+ */
+ client_id?: string;
+
+ /**
+ * The application client secret, only returned on POST request.
+ */
+ client_secret?: string;
+
+ created_at?: string;
+
+ custom_claims?: AccessOIDCSaaSApp.CustomClaims;
+
+ /**
+ * The OIDC flows supported by this application
+ */
+ grant_types?: Array<'authorization_code' | 'authorization_code_with_pkce' | 'refresh_tokens'>;
+
+ /**
+ * A regex to filter Cloudflare groups returned in ID token and userinfo endpoint
+ */
+ group_filter_regex?: string;
+
+ /**
+ * The Access public certificate that will be used to verify your identity.
+ */
+ public_key?: string;
+
+ /**
+ * The permitted URL's for Cloudflare to return Authorization codes and Access/ID
+ * tokens
+ */
+ redirect_uris?: Array;
+
+ refresh_token_options?: AccessOIDCSaaSApp.RefreshTokenOptions;
+
+ /**
+ * Define the user information shared with access, "offline_access" scope will be
+ * automatically enabled if refresh tokens are enabled
+ */
+ scopes?: Array<'openid' | 'groups' | 'email' | 'profile'>;
+
+ updated_at?: string;
+ }
+
+ export namespace AccessOIDCSaaSApp {
+ export interface CustomClaims {
+ /**
+ * The name of the claim.
+ */
+ name?: string;
+
+ /**
+ * A mapping from IdP ID to claim name.
+ */
+ name_by_idp?: Record;
+
+ /**
+ * If the claim is required when building an OIDC token.
+ */
+ required?: boolean;
+
+ /**
+ * The scope of the claim.
+ */
+ scope?: 'groups' | 'profile' | 'email' | 'openid';
+
+ source?: CustomClaims.Source;
+ }
+
+ export namespace CustomClaims {
+ export interface Source {
+ /**
+ * The name of the IdP claim.
+ */
+ name?: string;
+ }
+ }
+
+ export interface RefreshTokenOptions {
+ /**
+ * How long a refresh token will be valid for after creation. Valid units are
+ * m,h,d. Must be longer than 1m.
+ */
+ lifetime?: string;
+ }
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BrowserSSHApplication {
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain: string;
+
+ /**
+ * The application type.
+ */
+ type: string;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * When set to true, users can authenticate to this application using their WARP
+ * session. When set to false this application will always require direct IdP
+ * authentication. This setting always overrides the organization setting for WARP
+ * authentication.
+ */
+ allow_authenticate_via_warp?: boolean;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ cors_headers?: ApplicationsAPI.CORSHeaders;
+
+ created_at?: string;
+
+ /**
+ * The custom error message shown to a user when they are denied access to the
+ * application.
+ */
+ custom_deny_message?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing identity-based rules.
+ */
+ custom_deny_url?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing non-identity rules.
+ */
+ custom_non_identity_deny_url?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * Enables the binding cookie, which increases security against compromised
+ * authorization tokens and CSRF attacks.
+ */
+ enable_binding_cookie?: boolean;
+
+ /**
+ * Enables the HttpOnly cookie attribute, which increases security against XSS
+ * attacks.
+ */
+ http_only_cookie_attribute?: boolean;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ /**
+ * Allows options preflight requests to bypass Access authentication and go
+ * directly to the origin. Cannot turn on if cors_headers is set.
+ */
+ options_preflight_bypass?: boolean;
+
+ /**
+ * Enables cookie paths to scope an application's JWT to the application path. If
+ * disabled, the JWT will scope to the hostname by default
+ */
+ path_cookie_attribute?: boolean;
+
+ policies?: Array;
+
+ /**
+ * Sets the SameSite cookie setting, which provides increased security against CSRF
+ * attacks.
+ */
+ same_site_cookie_attribute?: string;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: BrowserSSHApplication.ScimConfig;
+
+ /**
+ * List of domains that Access will secure.
+ */
+ self_hosted_domains?: Array;
+
+ /**
+ * Returns a 401 status code when the request is blocked by a Service Auth policy.
+ */
+ service_auth_401_redirect?: boolean;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ /**
+ * Enables automatic authentication through cloudflared.
+ */
+ skip_interstitial?: boolean;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ updated_at?: string;
+ }
+
+ export namespace BrowserSSHApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface BrowserVncApplication {
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain: string;
+
+ /**
+ * The application type.
+ */
+ type: string;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * When set to true, users can authenticate to this application using their WARP
+ * session. When set to false this application will always require direct IdP
+ * authentication. This setting always overrides the organization setting for WARP
+ * authentication.
+ */
+ allow_authenticate_via_warp?: boolean;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Displays the application in the App Launcher.
+ */
+ app_launcher_visible?: boolean;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ cors_headers?: ApplicationsAPI.CORSHeaders;
+
+ created_at?: string;
+
+ /**
+ * The custom error message shown to a user when they are denied access to the
+ * application.
+ */
+ custom_deny_message?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing identity-based rules.
+ */
+ custom_deny_url?: string;
+
+ /**
+ * The custom URL a user is redirected to when they are denied access to the
+ * application when failing non-identity rules.
+ */
+ custom_non_identity_deny_url?: string;
+
+ /**
+ * The custom pages that will be displayed when applicable for this application
+ */
+ custom_pages?: Array;
+
+ /**
+ * Enables the binding cookie, which increases security against compromised
+ * authorization tokens and CSRF attacks.
+ */
+ enable_binding_cookie?: boolean;
+
+ /**
+ * Enables the HttpOnly cookie attribute, which increases security against XSS
+ * attacks.
+ */
+ http_only_cookie_attribute?: boolean;
+
+ /**
+ * The image URL for the logo shown in the App Launcher dashboard.
+ */
+ logo_url?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ /**
+ * Allows options preflight requests to bypass Access authentication and go
+ * directly to the origin. Cannot turn on if cors_headers is set.
+ */
+ options_preflight_bypass?: boolean;
+
+ /**
+ * Enables cookie paths to scope an application's JWT to the application path. If
+ * disabled, the JWT will scope to the hostname by default
+ */
+ path_cookie_attribute?: boolean;
+
+ policies?: Array;
+
+ /**
+ * Sets the SameSite cookie setting, which provides increased security against CSRF
+ * attacks.
+ */
+ same_site_cookie_attribute?: string;
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ scim_config?: BrowserVncApplication.ScimConfig;
+
+ /**
+ * List of domains that Access will secure.
+ */
+ self_hosted_domains?: Array;
+
+ /**
+ * Returns a 401 status code when the request is blocked by a Service Auth policy.
+ */
+ service_auth_401_redirect?: boolean;
+
+ /**
+ * The amount of time that tokens issued for this application will be valid. Must
+ * be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms,
+ * s, m, h.
+ */
+ session_duration?: string;
+
+ /**
+ * Enables automatic authentication through cloudflared.
+ */
+ skip_interstitial?: boolean;
+
+ /**
+ * The tags you want assigned to an application. Tags are used to filter
+ * applications in the App Launcher dashboard.
+ */
+ tags?: Array;
+
+ updated_at?: string;
+ }
+
+ export namespace BrowserVncApplication {
+ export interface Policy {
+ /**
+ * The ID of the Access policy.
+ */
+ id?: string;
+
+ /**
+ * Administrators who can approve a temporary authentication request.
+ */
+ approval_groups?: Array;
+
+ /**
+ * Requires the user to request access from an administrator at the start of each
+ * session.
+ */
+ approval_required?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The action Access will take if a user matches this policy.
+ */
+ decision?: 'allow' | 'deny' | 'non_identity' | 'bypass';
+
+ /**
+ * Rules evaluated with a NOT logical operator. To match the policy, a user cannot
+ * meet any of the Exclude rules.
+ */
+ exclude?: Array;
+
+ /**
+ * Rules evaluated with an OR logical operator. A user needs to meet only one of
+ * the Include rules.
+ */
+ include?: Array;
+
+ /**
+ * Require this application to be served in an isolated browser for users matching
+ * this policy. 'Client Web Isolation' must be on for the account in order to use
+ * this feature.
+ */
+ isolation_required?: boolean;
+
+ /**
+ * The name of the Access policy.
+ */
+ name?: string;
+
+ /**
+ * A custom message that will appear on the purpose justification screen.
+ */
+ purpose_justification_prompt?: string;
+
+ /**
+ * Require users to enter a justification when they log in to the application.
+ */
+ purpose_justification_required?: boolean;
+
+ /**
+ * Rules evaluated with an AND logical operator. To match the policy, a user must
+ * meet all of the Require rules.
+ */
+ require?: Array;
+
+ /**
+ * The amount of time that tokens issued for the application will be valid. Must be
+ * in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s,
+ * m, h.
+ */
+ session_duration?: string;
+
+ updated_at?: string;
+ }
+
+ /**
+ * Configuration for provisioning to this application via SCIM. This is currently
+ * in closed beta.
+ */
+ export interface ScimConfig {
+ /**
+ * The UID of the IdP to use as the source for SCIM resources to provision to this
+ * application.
+ */
+ idp_uid: string;
+
+ /**
+ * The base URI for the application's SCIM-compatible API.
+ */
+ remote_uri: string;
+
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ authentication?:
+ | ScimConfig.AccessScimConfigAuthenticationHTTPBasic
+ | ScimConfig.AccessScimConfigAuthenticationOAuthBearerToken
+ | ScimConfig.AccessScimConfigAuthenticationOauth2;
+
+ /**
+ * If false, propagates DELETE requests to the target application for SCIM
+ * resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+ * targets do not support DELETE operations.
+ */
+ deactivate_on_delete?: boolean;
+
+ /**
+ * Whether SCIM provisioning is turned on for this application.
+ */
+ enabled?: boolean;
+
+ /**
+ * A list of mappings to apply to SCIM resources before provisioning them in this
+ * application. These can transform or filter the resources to be provisioned.
+ */
+ mappings?: Array;
+ }
+
+ export namespace ScimConfig {
+ /**
+ * Attributes for configuring HTTP Basic authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationHTTPBasic {
+ /**
+ * Password used to authenticate with the remote SCIM service.
+ */
+ password: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'httpbasic';
+
+ /**
+ * User name used to authenticate with the remote SCIM service.
+ */
+ user: string;
+ }
+
+ /**
+ * Attributes for configuring OAuth Bearer Token authentication scheme for SCIM
+ * provisioning to an application.
+ */
+ export interface AccessScimConfigAuthenticationOAuthBearerToken {
+ /**
+ * Token used to authenticate with the remote SCIM service.
+ */
+ token: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauthbearertoken';
+ }
+
+ /**
+ * Attributes for configuring OAuth 2 authentication scheme for SCIM provisioning
+ * to an application.
+ */
+ export interface AccessScimConfigAuthenticationOauth2 {
+ /**
+ * URL used to generate the auth code used during token generation.
+ */
+ authorization_url: string;
+
+ /**
+ * Client ID used to authenticate when generating a token for authenticating with
+ * the remote SCIM service.
+ */
+ client_id: string;
+
+ /**
+ * Secret used to authenticate when generating a token for authenticating with the
+ * remove SCIM service.
+ */
+ client_secret: string;
+
+ /**
+ * The authentication scheme to use when making SCIM requests to this application.
+ */
+ scheme: 'oauth2';
+
+ /**
+ * URL used to generate the token used to authenticate with the remote SCIM
+ * service.
+ */
+ token_url: string;
+
+ /**
+ * The authorization scopes to request when generating the token used to
+ * authenticate with the remove SCIM service.
+ */
+ scopes?: Array;
+ }
+
+ /**
+ * Transformations and filters applied to resources before they are provisioned in
+ * the remote SCIM service.
+ */
+ export interface Mapping {
+ /**
+ * Which SCIM resource type this mapping applies to.
+ */
+ schema: string;
+
+ /**
+ * Whether or not this mapping is enabled.
+ */
+ enabled?: boolean;
+
+ /**
+ * A
+ * [SCIM filter expression](https://datatracker.ietf.org/doc/html/rfc7644#section-3.4.2.2)
+ * that matches resources that should be provisioned to this application.
+ */
+ filter?: string;
+
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ operations?: Mapping.Operations;
+
+ /**
+ * A [JSONata](https://jsonata.org/) expression that transforms the resource before
+ * provisioning it in the application.
+ */
+ transform_jsonata?: string;
+ }
+
+ export namespace Mapping {
+ /**
+ * Whether or not this mapping applies to creates, updates, or deletes.
+ */
+ export interface Operations {
+ /**
+ * Whether or not this mapping applies to create (POST) operations.
+ */
+ create?: boolean;
+
+ /**
+ * Whether or not this mapping applies to DELETE operations.
+ */
+ delete?: boolean;
+
+ /**
+ * Whether or not this mapping applies to update (PATCH/PUT) operations.
+ */
+ update?: boolean;
+ }
+ }
+ }
+ }
+
+ export interface AppLauncherApplication {
+ /**
+ * The application type.
+ */
+ type: ApplicationsAPI.ApplicationType;
+
+ /**
+ * UUID
+ */
+ id?: string;
+
+ /**
+ * The identity providers your users can select when connecting to this
+ * application. Defaults to all IdPs configured in your account.
+ */
+ allowed_idps?: Array;
+
+ /**
+ * Audience tag.
+ */
+ aud?: string;
+
+ /**
+ * When set to `true`, users skip the identity provider selection step during
+ * login. You must specify only one identity provider in allowed_idps.
+ */
+ auto_redirect_to_identity?: boolean;
+
+ created_at?: string;
+
+ /**
+ * The primary hostname and path that Access will secure. If the app is visible in
+ * the App Launcher dashboard, this is the domain that will be displayed.
+ */
+ domain?: string;
+
+ /**
+ * The name of the application.
+ */
+ name?: string;
+
+ policies?: Array