Skip to main content

access_apps

Creates, updates, deletes, gets or lists an access_apps resource.

Overview

Nameaccess_apps
TypeResource
Idcloudflare.zero_trust.access_apps

Fields

The following fields are returned by SELECT queries:

Get an Access application response

NameDatatypeDescription
idstringUUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415)
namestringThe name of the application. (example: Admin Site)
allow_authenticate_via_warpbooleanWhen set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
allow_iframebooleanEnables loading application content in an iFrame.
allowed_idpsarrayThe identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
app_launcher_logo_urlstringThe image URL of the logo shown in the App Launcher header. (example: https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg)
app_launcher_visiblebooleanDisplays the application in the App Launcher.
audstringAudience tag. (example: 737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893)
auto_redirect_to_identitybooleanWhen set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
bg_colorstringThe background color of the App Launcher page. (example: #ff0000)
cors_headersobject
created_atstring (date-time) (example: 2014-01-01T05:20:00.12345Z)
custom_deny_messagestringThe custom error message shown to a user when they are denied access to the application.
custom_deny_urlstringThe custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
custom_non_identity_deny_urlstringThe custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
custom_pagesarrayThe custom pages that will be displayed when applicable for this application
destinationsarrayList of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.
domainstringThe primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. (example: test.example.com/admin)
enable_binding_cookiebooleanEnables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
footer_linksarrayThe links in the App Launcher footer.
header_bg_colorstringThe background color of the App Launcher header. (example: #ff0000)
http_only_cookie_attributebooleanEnables the HttpOnly cookie attribute, which increases security against XSS attacks.
landing_page_designobjectThe design of the App Launcher landing page shown to users when they log in.
logo_urlstringThe image URL for the logo shown in the App Launcher dashboard. (example: https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg)
mfa_configobjectConfigures multi-factor authentication (MFA) settings.
oauth_configurationobjectBeta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta.
options_preflight_bypassbooleanAllows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
path_cookie_attributebooleanEnables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
policiesarray
read_service_tokens_from_headerstringAllows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } (example: Authorization)
saas_appobject (title: SAML SaaS App)
same_site_cookie_attributestringSets the SameSite cookie setting, which provides increased security against CSRF attacks. (example: strict)
scim_configobjectConfiguration for provisioning to this application via SCIM. This is currently in closed beta.
self_hosted_domainsarrayList of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.
service_auth_401_redirectbooleanReturns a 401 status code when the request is blocked by a Service Auth policy.
session_durationstringThe amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. (default: 24h, example: 24h)
skip_app_launcher_login_pagebooleanDetermines when to skip the App Launcher landing page.
skip_interstitialbooleanEnables automatic authentication through cloudflared.
tagsarrayThe tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. (x-stainless-collection-type: set)
target_criteriaarray
typestringThe application type. (self_hosted, saas, ssh, vnc, app_launcher, warp, biso, bookmark, dash_sso, infrastructure, rdp, mcp, mcp_portal, proxy_endpoint) (example: self_hosted)
updated_atstring (date-time) (example: 2014-01-01T05:20:00.12345Z)
use_clientless_isolation_app_launcher_urlbooleanDetermines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.

Methods

The following methods are available for this resource:

NameAccessible byRequired ParamsOptional ParamsDescription
get_by_accountselectapp_id, account_idFetches information about an Access application.
get_by_zoneselectapp_id, zone_idFetches information about an Access application.
listselectaccount_idname, domain, aud, target_attributes, exact, search, page, per_pageLists all Access applications in an account or zone.

Parameters

Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.

NameDatatypeDescription
account_idstringThe Cloudflare account ID.
app_idstringThe Access application ID.
zone_idstringThe Cloudflare zone ID.
audstring
domainstring
exactboolean
namestring
pageinteger
per_pageinteger
target_attributesstring

SELECT examples

Fetches information about an Access application.

SELECT
id,
name,
allow_authenticate_via_warp,
allow_iframe,
allowed_idps,
app_launcher_logo_url,
app_launcher_visible,
aud,
auto_redirect_to_identity,
bg_color,
cors_headers,
created_at,
custom_deny_message,
custom_deny_url,
custom_non_identity_deny_url,
custom_pages,
destinations,
domain,
enable_binding_cookie,
footer_links,
header_bg_color,
http_only_cookie_attribute,
landing_page_design,
logo_url,
mfa_config,
oauth_configuration,
options_preflight_bypass,
path_cookie_attribute,
policies,
read_service_tokens_from_header,
saas_app,
same_site_cookie_attribute,
scim_config,
self_hosted_domains,
service_auth_401_redirect,
session_duration,
skip_app_launcher_login_page,
skip_interstitial,
tags,
target_criteria,
type,
updated_at,
use_clientless_isolation_app_launcher_url
FROM cloudflare.zero_trust.access_apps
WHERE app_id = '{{ app_id }}' -- required
AND account_id = '{{ account_id }}' -- required
;