Access API examples

You can use the Cloudflare Access API to create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:

{
  "name": "allow cloudflare employees",
  "decision": "allow",
  "include": [
    {
      "email_domain": {
        "domain": "cloudflare.com"
      }
    }
  ],
  "exclude": [
    {
      "email": {
        "email": "notthisperson@cloudflare.com"
      }
    }
  ],
  "require": []
}

Example rule configurations

Access group

Use a pre-existing Access group.

Any valid service token

The request will need to present the headers for any service token created for this account.

Authentication method

Allow access based on the "amr" identifier.

Azure® Group

Allow members of an Azure Group. The ID is the group UUID (id) in Azure.

Common name

The request will need to present a valid certificate with an expected common name.

Country Code

Allow a specific country.

Email

Allow a specific email address.

Email domain

Allow an entire email domain.

Everyone

Allow anyone to log in.

G Suite® Group

Allow members of a specific G Suite group.

GitHub™ Organization

Allow members of a specific GitHub organization.

IP range

Allow an IP range.

mTLS certificate

The request will need to present a valid certificate.

Okta® Group

Allow members of an Okta Group.

SAML Attribute

Allow users with specific SAML attributes.

Service token

The request will need to present the correct service token headers.