Access API examples

You can use the Cloudflare Access API to create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:

{
  "name": "allow cloudflare employees",
  "decision": "allow",
  "include": [
    {
      "email_domain": {
        "domain": "cloudflare.com"
      }
    }
  ],
  "exclude": [
    {
      "email": {
        "email": "notthisperson@cloudflare.com"
      }
    }
  ],
  "require": []
}

Example rule configurations

Access group

Use a pre-existing Access group.

Any valid service token

The request will need to present the headers for any service token created for this account.

Authentication method

Allow access based on the "amr" identifier.

Common name

The request will need to present a valid certificate with an expected common name.

Country Code

Allow a specific country.

Email

Allow a specific email address.

Email domain

Allow an entire email domain.

Everyone

Allow anyone to log in.

G Suite Group

Allow members of a specific G Suite group.

GitHub™ Organization

Allow members of a specific GitHub organization.

IP range

Allow an IP range.

Microsoft Entra Group

Allow members of a Microsoft Entra group. The ID is the group UUID (id) in Microsoft Entra ID.

mTLS certificate

The request will need to present a valid certificate.

Okta Group

Allow members of an Okta Group.

SAML Attribute

Allow users with specific SAML attributes.

Service token

The request will need to present the correct service token headers.