ZeroTrustAccessApplication

The Account ID to use for this endpoint. Mutually exclusive with the Zone ID.

When set to true, users can authenticate to this application using their WARP session. When set to false this application will always require direct IdP authentication. This setting always overrides the organization setting for WARP authentication.

The identity providers your users can select when connecting to this application. Defaults to all IdPs configured in your account.

Enables loading application content in an iFrame.

The image URL of the logo shown in the App Launcher header.

Displays the application in the App Launcher.

Audience tag.

When set to true, users skip the identity provider selection step during login. You must specify only one identity provider in allowed_idps.

The background color of the App Launcher page.

The custom error message shown to a user when they are denied access to the application.

The custom URL a user is redirected to when they are denied access to the application when failing identity-based rules.

The custom URL a user is redirected to when they are denied access to the application when failing non-identity rules.

The custom pages that will be displayed when applicable for this application

List of destinations secured by Access. This supersedes self_hosted_domains to allow for more flexibility in defining different types of domains. If destinations are provided, then self_hosted_domains will be ignored.

The primary hostname and path secured by Access. This domain will be displayed if the app is visible in the App Launcher.

Enables the binding cookie, which increases security against compromised authorization tokens and CSRF attacks.

The links in the App Launcher footer.

The background color of the App Launcher header.

Enables the HttpOnly cookie attribute, which increases security against XSS attacks.

The design of the App Launcher landing page shown to users when they log in.

The image URL for the logo shown in the App Launcher dashboard.

The name of the application.

Allows options preflight requests to bypass Access authentication and go directly to the origin. Cannot turn on if cors_headers is set.

Enables cookie paths to scope an application's JWT to the application path. If disabled, the JWT will scope to the hostname by default

The policies that Access applies to the application, in ascending order of precedence. Items can reference existing policies or create new policies exclusive to the application.

Allows matching Access Service Tokens passed HTTP in a single header with this name. This works as an alternative to the (CF-Access-Client-Id, CF-Access-Client-Secret) pair of headers. The header value will be interpreted as a json object similar to: { "cf-access-client-id": "88bf3b6d86161464f6509f7219099e57.access.example.com", "cf-access-client-secret": "bdd31cbc4dec990953e39163fbbb194c93313ca9f0a6e420346af9d326b1d2a5" }

Sets the SameSite cookie setting, which provides increased security against CSRF attacks.

Configuration for provisioning to this application via SCIM. This is currently in closed beta.

List of public domains that Access will secure. This field is deprecated in favor of destinations and will be supported until November 21, 2025. If destinations are provided, then self_hosted_domains will be ignored.

Returns a 401 status code when the request is blocked by a Service Auth policy.

The amount of time that tokens issued for this application will be valid. Must be in the format 300ms or 2h45m. Valid time units are: ns, us (or µs), ms, s, m, h.

Determines when to skip the App Launcher landing page.

Enables automatic authentication through cloudflared.

The tags you want assigned to an application. Tags are used to filter applications in the App Launcher dashboard.

The application type.

The Zone ID to use for this endpoint. Mutually exclusive with the Account ID.