applications
Creates, updates, deletes, gets or lists an applications resource.
Overview
| Name | applications |
| Type | Resource |
| Id | cloudflare.zero_trust.applications |
Fields
The following fields are returned by SELECT queries:
- list
List Access applications response
| Name | Datatype | Description |
|---|---|---|
id | string | UUID. (example: f174e90a-fafe-4643-bbbc-4a0ed4fc8415) |
name | string | The name of the application. (example: Admin Site) |
allow_authenticate_via_warp | boolean | When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication. |
allow_iframe | boolean | Enables loading application content in an iFrame. |
allowed_idps | array | The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account. |
app_launcher_logo_url | string | The image URL of the logo shown in the App Launcher header. (example: https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg) |
app_launcher_visible | boolean | Displays the application in the App Launcher. |
aud | string | Audience tag. (example: 737646a56ab1df6ec9bddc7e5ca84eaf3b0768850f3ffb5d74f1534911fe3893) |
auto_redirect_to_identity | boolean | When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps. |
bg_color | string | The background color of the App Launcher page. (example: #ff0000) |
cors_headers | object | |
created_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
custom_deny_message | string | The custom error message shown to a user when they are denied access to the application. |
custom_deny_url | string | The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules. |
custom_non_identity_deny_url | string | The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules. |
custom_pages | array | The custom pages that will be displayed when applicable for this application |
destinations | array | List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored. |
domain | string | The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher. (example: test.example.com/admin) |
enable_binding_cookie | boolean | Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks. |
footer_links | array | The links in the App Launcher footer. |
header_bg_color | string | The background color of the App Launcher header. (example: #ff0000) |
http_only_cookie_attribute | boolean | Enables the HttpOnly cookie attribute, which increases security against XSS attacks. |
landing_page_design | object | The design of the App Launcher landing page shown to users when they log in. |
logo_url | string | The image URL for the logo shown in the App Launcher dashboard. (example: https://www.cloudflare.com/img/logo-web-badges/cf-logo-on-white-bg.svg) |
mfa_config | object | Configures multi-factor authentication (MFA) settings. |
oauth_configuration | object | Beta: Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support RFC 8707 (Resource Indicators for OAuth 2.0). This feature is currently in beta. |
options_preflight_bypass | boolean | Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set. |
path_cookie_attribute | boolean | Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default |
policies | array | |
read_service_tokens_from_header | string | Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" } (example: Authorization) |
saas_app | object | (title: SAML SaaS App) |
same_site_cookie_attribute | string | Sets the SameSite cookie setting, which provides increased security against CSRF attacks. (example: strict) |
scim_config | object | Configuration for provisioning to this application via SCIM. This is currently in closed beta. |
self_hosted_domains | array | List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored. |
service_auth_401_redirect | boolean | Returns a 401 status code when the request is blocked by a Service Auth policy. |
session_duration | string | The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications. (default: 24h, example: 24h) |
skip_app_launcher_login_page | boolean | Determines when to skip the App Launcher landing page. |
skip_interstitial | boolean | Enables automatic authentication through cloudflared. |
tags | array | The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard. (x-stainless-collection-type: set) |
target_criteria | array | |
type | string | The application type. (self_hosted, saas, ssh, vnc, app_launcher, warp, biso, bookmark, dash_sso, infrastructure, rdp, mcp, mcp_portal, proxy_endpoint) (example: self_hosted) |
updated_at | string (date-time) | (example: 2014-01-01T05:20:00.12345Z) |
use_clientless_isolation_app_launcher_url | boolean | Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application. |
Methods
The following methods are available for this resource:
| Name | Accessible by | Required Params | Optional Params | Description |
|---|---|---|---|---|
list | select | zone_id | name, domain, aud, target_attributes, exact, search, page, per_page | Lists all Access applications in an account or zone. |
create_by_account | insert | account_id, type | Adds a new application to Access. | |
create_by_zone | insert | zone_id, type | Adds a new application to Access. | |
update_by_account | replace | app_id, account_id, type | Updates an Access application. | |
update_by_zone | replace | app_id, zone_id, type | Updates an Access application. | |
delete_by_account | delete | app_id, account_id | Deletes an application from Access. | |
delete_by_zone | delete | app_id, zone_id | Deletes an application from Access. | |
revoke_tokens_by_account | exec | app_id, account_id | Revokes all tokens issued for an application. | |
revoke_tokens_by_zone | exec | app_id, zone_id | Revokes all tokens issued for an application. |
Parameters
Parameters can be passed in the WHERE clause of a query. Check the Methods section to see which parameters are required or optional for each operation.
| Name | Datatype | Description |
|---|---|---|
account_id | string | The Cloudflare account ID. |
app_id | string | The Access application ID. |
zone_id | string | The Cloudflare zone ID. |
aud | string | |
domain | string | |
exact | boolean | |
name | string | |
page | integer | |
per_page | integer | |
search | string | |
target_attributes | string |
SELECT examples
- list
Lists all Access applications in an account or zone.
SELECT
id,
name,
allow_authenticate_via_warp,
allow_iframe,
allowed_idps,
app_launcher_logo_url,
app_launcher_visible,
aud,
auto_redirect_to_identity,
bg_color,
cors_headers,
created_at,
custom_deny_message,
custom_deny_url,
custom_non_identity_deny_url,
custom_pages,
destinations,
domain,
enable_binding_cookie,
footer_links,
header_bg_color,
http_only_cookie_attribute,
landing_page_design,
logo_url,
mfa_config,
oauth_configuration,
options_preflight_bypass,
path_cookie_attribute,
policies,
read_service_tokens_from_header,
saas_app,
same_site_cookie_attribute,
scim_config,
self_hosted_domains,
service_auth_401_redirect,
session_duration,
skip_app_launcher_login_page,
skip_interstitial,
tags,
target_criteria,
type,
updated_at,
use_clientless_isolation_app_launcher_url
FROM cloudflare.zero_trust.applications
WHERE zone_id = '{{ zone_id }}' -- required
AND name = '{{ name }}'
AND domain = '{{ domain }}'
AND aud = '{{ aud }}'
AND target_attributes = '{{ target_attributes }}'
AND exact = '{{ exact }}'
AND search = '{{ search }}'
AND page = '{{ page }}'
AND per_page = '{{ per_page }}'
;
INSERT examples
- create_by_account
- create_by_zone
- Manifest
Adds a new application to Access.
INSERT INTO cloudflare.zero_trust.applications (
allow_authenticate_via_warp,
allow_iframe,
allowed_idps,
app_launcher_visible,
auto_redirect_to_identity,
cors_headers,
custom_deny_message,
custom_deny_url,
custom_non_identity_deny_url,
custom_pages,
destinations,
domain,
enable_binding_cookie,
http_only_cookie_attribute,
logo_url,
mfa_config,
name,
oauth_configuration,
options_preflight_bypass,
path_cookie_attribute,
read_service_tokens_from_header,
same_site_cookie_attribute,
scim_config,
self_hosted_domains,
service_auth_401_redirect,
session_duration,
skip_interstitial,
tags,
type,
use_clientless_isolation_app_launcher_url,
policies,
saas_app,
app_launcher_logo_url,
bg_color,
footer_links,
header_bg_color,
landing_page_design,
skip_app_launcher_login_page,
target_criteria,
account_id
)
SELECT
{{ allow_authenticate_via_warp }},
{{ allow_iframe }},
'{{ allowed_idps }}',
{{ app_launcher_visible }},
{{ auto_redirect_to_identity }},
'{{ cors_headers }}',
'{{ custom_deny_message }}',
'{{ custom_deny_url }}',
'{{ custom_non_identity_deny_url }}',
'{{ custom_pages }}',
'{{ destinations }}',
'{{ domain }}',
{{ enable_binding_cookie }},
{{ http_only_cookie_attribute }},
'{{ logo_url }}',
'{{ mfa_config }}',
'{{ name }}',
'{{ oauth_configuration }}',
{{ options_preflight_bypass }},
{{ path_cookie_attribute }},
'{{ read_service_tokens_from_header }}',
'{{ same_site_cookie_attribute }}',
'{{ scim_config }}',
'{{ self_hosted_domains }}',
{{ service_auth_401_redirect }},
'{{ session_duration }}',
{{ skip_interstitial }},
'{{ tags }}',
'{{ type }}' /* required */,
{{ use_clientless_isolation_app_launcher_url }},
'{{ policies }}',
'{{ saas_app }}',
'{{ app_launcher_logo_url }}',
'{{ bg_color }}',
'{{ footer_links }}',
'{{ header_bg_color }}',
'{{ landing_page_design }}',
{{ skip_app_launcher_login_page }},
'{{ target_criteria }}',
'{{ account_id }}'
RETURNING
errors,
messages,
result,
success
;
Adds a new application to Access.
INSERT INTO cloudflare.zero_trust.applications (
allow_authenticate_via_warp,
allow_iframe,
allowed_idps,
app_launcher_visible,
auto_redirect_to_identity,
cors_headers,
custom_deny_message,
custom_deny_url,
custom_non_identity_deny_url,
custom_pages,
destinations,
domain,
enable_binding_cookie,
http_only_cookie_attribute,
logo_url,
mfa_config,
name,
oauth_configuration,
options_preflight_bypass,
path_cookie_attribute,
read_service_tokens_from_header,
same_site_cookie_attribute,
scim_config,
self_hosted_domains,
service_auth_401_redirect,
session_duration,
skip_interstitial,
tags,
type,
use_clientless_isolation_app_launcher_url,
policies,
saas_app,
app_launcher_logo_url,
bg_color,
footer_links,
header_bg_color,
landing_page_design,
skip_app_launcher_login_page,
target_criteria,
zone_id
)
SELECT
{{ allow_authenticate_via_warp }},
{{ allow_iframe }},
'{{ allowed_idps }}',
{{ app_launcher_visible }},
{{ auto_redirect_to_identity }},
'{{ cors_headers }}',
'{{ custom_deny_message }}',
'{{ custom_deny_url }}',
'{{ custom_non_identity_deny_url }}',
'{{ custom_pages }}',
'{{ destinations }}',
'{{ domain }}',
{{ enable_binding_cookie }},
{{ http_only_cookie_attribute }},
'{{ logo_url }}',
'{{ mfa_config }}',
'{{ name }}',
'{{ oauth_configuration }}',
{{ options_preflight_bypass }},
{{ path_cookie_attribute }},
'{{ read_service_tokens_from_header }}',
'{{ same_site_cookie_attribute }}',
'{{ scim_config }}',
'{{ self_hosted_domains }}',
{{ service_auth_401_redirect }},
'{{ session_duration }}',
{{ skip_interstitial }},
'{{ tags }}',
'{{ type }}' /* required */,
{{ use_clientless_isolation_app_launcher_url }},
'{{ policies }}',
'{{ saas_app }}',
'{{ app_launcher_logo_url }}',
'{{ bg_color }}',
'{{ footer_links }}',
'{{ header_bg_color }}',
'{{ landing_page_design }}',
{{ skip_app_launcher_login_page }},
'{{ target_criteria }}',
'{{ zone_id }}'
RETURNING
errors,
messages,
result,
success
;
# Description fields are for documentation purposes
- name: applications
props:
- name: account_id
value: "{{ account_id }}"
description: Required parameter for the applications resource.
- name: zone_id
value: "{{ zone_id }}"
description: Required parameter for the applications resource.
- name: allow_authenticate_via_warp
value: {{ allow_authenticate_via_warp }}
description: |
When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.
- name: allow_iframe
value: {{ allow_iframe }}
description: |
Enables loading application content in an iFrame.
- name: allowed_idps
value:
- "{{ allowed_idps }}"
description: |
The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.
- name: app_launcher_visible
value: {{ app_launcher_visible }}
description: |
Displays the application in the App Launcher.
default: true
- name: auto_redirect_to_identity
value: {{ auto_redirect_to_identity }}
description: |
When set to `true`, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.
default: false
- name: cors_headers
value:
allow_all_headers: {{ allow_all_headers }}
allow_all_methods: {{ allow_all_methods }}
allow_all_origins: {{ allow_all_origins }}
allow_credentials: {{ allow_credentials }}
allowed_headers:
- "{{ allowed_headers }}"
allowed_methods:
- "{{ allowed_methods }}"
allowed_origins:
- "{{ allowed_origins }}"
max_age: {{ max_age }}
- name: custom_deny_message
value: "{{ custom_deny_message }}"
description: |
The custom error message shown to a user when they are denied access to the application.
- name: custom_deny_url
value: "{{ custom_deny_url }}"
description: |
The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.
- name: custom_non_identity_deny_url
value: "{{ custom_non_identity_deny_url }}"
description: |
The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.
- name: custom_pages
value:
- "{{ custom_pages }}"
description: |
The custom pages that will be displayed when applicable for this application
- name: destinations
description: |
List of destinations secured by Access. This supersedes `self_hosted_domains` to allow for more flexibility in defining different types of domains. If `destinations` are provided, then `self_hosted_domains` will be ignored.
value:
- type: "{{ type }}"
uri: "{{ uri }}"
cidr: "{{ cidr }}"
hostname: "{{ hostname }}"
l4_protocol: "{{ l4_protocol }}"
port_range: "{{ port_range }}"
vnet_id: "{{ vnet_id }}"
mcp_server_id: "{{ mcp_server_id }}"
default:
- name: domain
value: "{{ domain }}"
description: |
The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.
- name: enable_binding_cookie
value: {{ enable_binding_cookie }}
description: |
Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.
default: false
- name: http_only_cookie_attribute
value: {{ http_only_cookie_attribute }}
description: |
Enables the HttpOnly cookie attribute, which increases security against XSS attacks.
default: true
- name: logo_url
value: "{{ logo_url }}"
description: |
The image URL for the logo shown in the App Launcher dashboard.
- name: mfa_config
description: |
Configures multi-factor authentication (MFA) settings.
value:
allowed_authenticators:
- "{{ allowed_authenticators }}"
mfa_disabled: {{ mfa_disabled }}
session_duration: "{{ session_duration }}"
- name: name
value: "{{ name }}"
description: |
The name of the application.
- name: oauth_configuration
description: |
**Beta:** Optional configuration for managing an OAuth authorization flow controlled by Access. When set, Access will act as the OAuth authorization server for this application. Only compatible with OAuth clients that support [RFC 8707](https://datatracker.ietf.org/doc/html/rfc8707) (Resource Indicators for OAuth 2.0). This feature is currently in beta.
value:
dynamic_client_registration:
allow_any_on_localhost: {{ allow_any_on_localhost }}
allow_any_on_loopback: {{ allow_any_on_loopback }}
allowed_uris:
- "{{ allowed_uris }}"
enabled: {{ enabled }}
enabled: {{ enabled }}
grant:
access_token_lifetime: "{{ access_token_lifetime }}"
session_duration: "{{ session_duration }}"
- name: options_preflight_bypass
value: {{ options_preflight_bypass }}
description: |
Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.
- name: path_cookie_attribute
value: {{ path_cookie_attribute }}
description: |
Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default
default: false
- name: read_service_tokens_from_header
value: "{{ read_service_tokens_from_header }}"
description: |
Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }
- name: same_site_cookie_attribute
value: "{{ same_site_cookie_attribute }}"
description: |
Sets the SameSite cookie setting, which provides increased security against CSRF attacks.
- name: scim_config
description: |
Configuration for provisioning to this application via SCIM. This is currently in closed beta.
value:
authentication:
password: "{{ password }}"
scheme: "{{ scheme }}"
user: "{{ user }}"
token: "{{ token }}"
authorization_url: "{{ authorization_url }}"
client_id: "{{ client_id }}"
client_secret: "{{ client_secret }}"
scopes:
- "{{ scopes }}"
token_url: "{{ token_url }}"
deactivate_on_delete: {{ deactivate_on_delete }}
enabled: {{ enabled }}
idp_uid: "{{ idp_uid }}"
mappings:
- enabled: {{ enabled }}
filter: "{{ filter }}"
operations:
create: {{ create }}
delete: {{ delete }}
update: {{ update }}
schema: "{{ schema }}"
strictness: "{{ strictness }}"
transform_jsonata: "{{ transform_jsonata }}"
remote_uri: "{{ remote_uri }}"
- name: self_hosted_domains
value:
- "{{ self_hosted_domains }}"
description: |
List of public domains that Access will secure. This field is deprecated in favor of `destinations` and will be supported until **November 21, 2025.** If `destinations` are provided, then `self_hosted_domains` will be ignored.
default:
- name: service_auth_401_redirect
value: {{ service_auth_401_redirect }}
description: |
Returns a 401 status code when the request is blocked by a Service Auth policy.
- name: session_duration
value: "{{ session_duration }}"
description: |
The amount of time that tokens issued for this application will be valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, h. Note: unsupported for infrastructure type applications.
default: 24h
- name: skip_interstitial
value: {{ skip_interstitial }}
description: |
Enables automatic authentication through cloudflared.
- name: tags
value:
- "{{ tags }}"
description: |
The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.
default:
- name: type
value: "{{ type }}"
description: |
The application type.
valid_values: ['self_hosted', 'saas', 'ssh', 'vnc', 'app_launcher', 'warp', 'biso', 'bookmark', 'dash_sso', 'infrastructure', 'rdp', 'mcp', 'mcp_portal', 'proxy_endpoint']
- name: use_clientless_isolation_app_launcher_url
value: {{ use_clientless_isolation_app_launcher_url }}
description: |
Determines if users can access this application via a clientless browser isolation URL. This allows users to access private domains without connecting to Gateway. The option requires Clientless Browser Isolation to be set up with policies that allow users of this application.
default: false
- name: policies
description: |
The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application. Reusable and inline policies are mutually exclusive.
value:
- id: "{{ id }}"
precedence: {{ precedence }}
approval_groups: "{{ approval_groups }}"
approval_required: {{ approval_required }}
connection_rules:
rdp:
allowed_clipboard_local_to_remote_formats:
- "{{ allowed_clipboard_local_to_remote_formats }}"
allowed_clipboard_remote_to_local_formats:
- "{{ allowed_clipboard_remote_to_local_formats }}"
isolation_required: {{ isolation_required }}
mfa_config:
allowed_authenticators:
- "{{ allowed_authenticators }}"
mfa_disabled: {{ mfa_disabled }}
session_duration: "{{ session_duration }}"
purpose_justification_prompt: "{{ purpose_justification_prompt }}"
purpose_justification_required: {{ purpose_justification_required }}
session_duration: "{{ session_duration }}"
- name: saas_app
value:
auth_type: "{{ auth_type }}"
consumer_service_url: "{{ consumer_service_url }}"
created_at: "{{ created_at }}"
custom_attributes:
- friendly_name: "{{ friendly_name }}"
name: "{{ name }}"
name_format: "{{ name_format }}"
source:
name: "{{ name }}"
name_by_idp:
- idp_id: "{{ idp_id }}"
source_name: "{{ source_name }}"
default_relay_state: "{{ default_relay_state }}"
idp_entity_id: "{{ idp_entity_id }}"
name_id_format: "{{ name_id_format }}"
name_id_transform_jsonata: "{{ name_id_transform_jsonata }}"
public_key: "{{ public_key }}"
saml_attribute_transform_jsonata: "{{ saml_attribute_transform_jsonata }}"
sp_entity_id: "{{ sp_entity_id }}"
sso_endpoint: "{{ sso_endpoint }}"
updated_at: "{{ updated_at }}"
access_token_lifetime: "{{ access_token_lifetime }}"
allow_pkce_without_client_secret: {{ allow_pkce_without_client_secret }}
app_launcher_url: "{{ app_launcher_url }}"
client_id: "{{ client_id }}"
client_secret: "{{ client_secret }}"
custom_claims:
- name: "{{ name }}"
scope: "{{ scope }}"
source:
name: "{{ name }}"
name_by_idp: "{{ name_by_idp }}"
grant_types:
- "{{ grant_types }}"
group_filter_regex: "{{ group_filter_regex }}"
hybrid_and_implicit_options:
return_access_token_from_authorization_endpoint: {{ return_access_token_from_authorization_endpoint }}
return_id_token_from_authorization_endpoint: {{ return_id_token_from_authorization_endpoint }}
redirect_uris:
- "{{ redirect_uris }}"
refresh_token_options:
lifetime: "{{ lifetime }}"
scopes:
- "{{ scopes }}"
- name: app_launcher_logo_url
value: "{{ app_launcher_logo_url }}"
description: |
The image URL of the logo shown in the App Launcher header.
- name: bg_color
value: "{{ bg_color }}"
description: |
The background color of the App Launcher page.
- name: footer_links
description: |
The links in the App Launcher footer.
value:
- name: "{{ name }}"
url: "{{ url }}"
- name: header_bg_color
value: "{{ header_bg_color }}"
description: |
The background color of the App Launcher header.
- name: landing_page_design
description: |
The design of the App Launcher landing page shown to users when they log in.
value:
button_color: "{{ button_color }}"
button_text_color: "{{ button_text_color }}"
image_url: "{{ image_url }}"
message: "{{ message }}"
title: "{{ title }}"
- name: skip_app_launcher_login_page
value: {{ skip_app_launcher_login_page }}
description: |
Determines when to skip the App Launcher landing page.
default: false
- name: target_criteria
value:
- port: {{ port }}
target_attributes: "{{ target_attributes }}"
protocol: "{{ protocol }}"
REPLACE examples
- update_by_account
- update_by_zone
Updates an Access application.
REPLACE cloudflare.zero_trust.applications
SET
allow_authenticate_via_warp = {{ allow_authenticate_via_warp }},
allow_iframe = {{ allow_iframe }},
allowed_idps = '{{ allowed_idps }}',
app_launcher_visible = {{ app_launcher_visible }},
auto_redirect_to_identity = {{ auto_redirect_to_identity }},
cors_headers = '{{ cors_headers }}',
custom_deny_message = '{{ custom_deny_message }}',
custom_deny_url = '{{ custom_deny_url }}',
custom_non_identity_deny_url = '{{ custom_non_identity_deny_url }}',
custom_pages = '{{ custom_pages }}',
destinations = '{{ destinations }}',
domain = '{{ domain }}',
enable_binding_cookie = {{ enable_binding_cookie }},
http_only_cookie_attribute = {{ http_only_cookie_attribute }},
logo_url = '{{ logo_url }}',
mfa_config = '{{ mfa_config }}',
name = '{{ name }}',
oauth_configuration = '{{ oauth_configuration }}',
options_preflight_bypass = {{ options_preflight_bypass }},
path_cookie_attribute = {{ path_cookie_attribute }},
read_service_tokens_from_header = '{{ read_service_tokens_from_header }}',
same_site_cookie_attribute = '{{ same_site_cookie_attribute }}',
scim_config = '{{ scim_config }}',
self_hosted_domains = '{{ self_hosted_domains }}',
service_auth_401_redirect = {{ service_auth_401_redirect }},
session_duration = '{{ session_duration }}',
skip_interstitial = {{ skip_interstitial }},
tags = '{{ tags }}',
type = '{{ type }}',
use_clientless_isolation_app_launcher_url = {{ use_clientless_isolation_app_launcher_url }},
policies = '{{ policies }}',
saas_app = '{{ saas_app }}',
app_launcher_logo_url = '{{ app_launcher_logo_url }}',
bg_color = '{{ bg_color }}',
footer_links = '{{ footer_links }}',
header_bg_color = '{{ header_bg_color }}',
landing_page_design = '{{ landing_page_design }}',
skip_app_launcher_login_page = {{ skip_app_launcher_login_page }},
target_criteria = '{{ target_criteria }}'
WHERE
app_id = '{{ app_id }}' --required
AND account_id = '{{ account_id }}' --required
AND type = '{{ type }}' --required
RETURNING
errors,
messages,
result,
success;
Updates an Access application.
REPLACE cloudflare.zero_trust.applications
SET
allow_authenticate_via_warp = {{ allow_authenticate_via_warp }},
allow_iframe = {{ allow_iframe }},
allowed_idps = '{{ allowed_idps }}',
app_launcher_visible = {{ app_launcher_visible }},
auto_redirect_to_identity = {{ auto_redirect_to_identity }},
cors_headers = '{{ cors_headers }}',
custom_deny_message = '{{ custom_deny_message }}',
custom_deny_url = '{{ custom_deny_url }}',
custom_non_identity_deny_url = '{{ custom_non_identity_deny_url }}',
custom_pages = '{{ custom_pages }}',
destinations = '{{ destinations }}',
domain = '{{ domain }}',
enable_binding_cookie = {{ enable_binding_cookie }},
http_only_cookie_attribute = {{ http_only_cookie_attribute }},
logo_url = '{{ logo_url }}',
mfa_config = '{{ mfa_config }}',
name = '{{ name }}',
oauth_configuration = '{{ oauth_configuration }}',
options_preflight_bypass = {{ options_preflight_bypass }},
path_cookie_attribute = {{ path_cookie_attribute }},
read_service_tokens_from_header = '{{ read_service_tokens_from_header }}',
same_site_cookie_attribute = '{{ same_site_cookie_attribute }}',
scim_config = '{{ scim_config }}',
self_hosted_domains = '{{ self_hosted_domains }}',
service_auth_401_redirect = {{ service_auth_401_redirect }},
session_duration = '{{ session_duration }}',
skip_interstitial = {{ skip_interstitial }},
tags = '{{ tags }}',
type = '{{ type }}',
use_clientless_isolation_app_launcher_url = {{ use_clientless_isolation_app_launcher_url }},
policies = '{{ policies }}',
saas_app = '{{ saas_app }}',
app_launcher_logo_url = '{{ app_launcher_logo_url }}',
bg_color = '{{ bg_color }}',
footer_links = '{{ footer_links }}',
header_bg_color = '{{ header_bg_color }}',
landing_page_design = '{{ landing_page_design }}',
skip_app_launcher_login_page = {{ skip_app_launcher_login_page }},
target_criteria = '{{ target_criteria }}'
WHERE
app_id = '{{ app_id }}' --required
AND zone_id = '{{ zone_id }}' --required
AND type = '{{ type }}' --required
RETURNING
errors,
messages,
result,
success;
DELETE examples
- delete_by_account
- delete_by_zone
Deletes an application from Access.
DELETE FROM cloudflare.zero_trust.applications
WHERE app_id = '{{ app_id }}' --required
AND account_id = '{{ account_id }}' --required
;
Deletes an application from Access.
DELETE FROM cloudflare.zero_trust.applications
WHERE app_id = '{{ app_id }}' --required
AND zone_id = '{{ zone_id }}' --required
;
Lifecycle Methods
- revoke_tokens_by_account
- revoke_tokens_by_zone
Revokes all tokens issued for an application.
EXEC cloudflare.zero_trust.applications.revoke_tokens_by_account
@app_id='{{ app_id }}' --required,
@account_id='{{ account_id }}' --required
;
Revokes all tokens issued for an application.
EXEC cloudflare.zero_trust.applications.revoke_tokens_by_zone
@app_id='{{ app_id }}' --required,
@zone_id='{{ zone_id }}' --required
;