POST /accounts/{account_id}/access/apps/{app_id}/policies
Creates a policy applying exclusive to a single application that defines the users or groups who can reach it. We recommend creating a reusable policy instead and subsequently referencing its ID in the application's 'policies' array.
Servers
- https://api.cloudflare.com/client/v4
Path parameters
| Name | Type | Required | Description |
|---|---|---|---|
app_id |
String | Yes |
The application ID. |
account_id |
String | Yes |
Request headers
| Name | Type | Required | Description |
|---|---|---|---|
Content-Type |
String | Yes |
The media type of the request body.
Default value: "application/json" |
Request body fields
| Name | Type | Required | Description |
|---|---|---|---|
purpose_justification_required |
Boolean | No |
Require users to enter a justification when they log in to the application. |
session_duration |
String | No |
The amount of time that tokens issued for the application will be valid. Must be in the format Default value: "24h" |
mfa_config |
Object | No |
Configures multi-factor authentication (MFA) settings. |
mfa_config.allowed_authenticators[] |
Array | No |
Lists the MFA methods that users can authenticate with. |
mfa_config.session_duration |
String | No |
Defines the duration of an MFA session. Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 days). Examples: |
mfa_config.mfa_bypass |
Boolean | No |
Indicates whether to bypass MFA for this resource. This option is available at the application and policy level. |
decision |
String | Yes |
The action Access will take if a user matches this policy. Infrastructure application policies can only use the Allow action. Valid values:
|
approval_required |
Boolean | No |
Requires the user to request access from an administrator at the start of each session. |
isolation_required |
Boolean | No |
Require this application to be served in an isolated browser for users matching this policy. 'Client Web Isolation' must be on for the account in order to use this feature. |
exclude[] |
Array | No |
Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules. |
name |
String | Yes |
The name of the Access policy. |
include[] |
Array | Yes |
Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules. |
require[] |
Array | No |
Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules. |
purpose_justification_prompt |
String | No |
A custom message that will appear on the purpose justification screen. |
precedence |
Integer | No |
The order of execution for this policy. Must be unique for each policy within an app. |
approval_groups[] |
Array | No |
Administrators who can approve a temporary authentication request. |
approval_groups[].email_list_uuid |
String | No |
The UUID of an re-usable email list. |
approval_groups[].approvals_needed |
Number | Yes |
The number of approvals needed to obtain access. |
approval_groups[].email_addresses[] |
Array | No |
A list of emails that can approve the access request. |
How to start integrating
- Add HTTP Task to your workflow definition.
- Search for the API you want to integrate with and click on the name.
- This loads the API reference documentation and prepares the Http request settings.
- Click Test request to test run your request to the API and see the API's response.