Access API examples
You can use the Cloudflare Access API to create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:
{ "name": "allow cloudflare employees", "decision": "allow", "include": [ { "email_domain": { "domain": "cloudflare.com" } } ], "exclude": [ { "email": { "email": "notthisperson@cloudflare.com" } } ], "require": []}
Rule group
Use a pre-existing rule group.Any valid service token
The request will need to present the headers for any service token created for this account.Authentication method
Allow access based on the "amr" identifier.Common name
The request will need to present a valid certificate with an expected common name.Email domain
Allow an entire email domain.Country Code
Allow a specific country.Microsoft Entra Group
Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID.GitHub™ Organization
Allow members of a specific GitHub organization.Everyone
Allow anyone to log in.G Suite Group
Allow members of a specific G Suite group.IP range
Allow an IP range.mTLS certificate
The request will need to present a valid certificate.Okta Group
Allow members of an Okta Group.SAML Attribute
Allow users with specific SAML attributes.Service token
The request will need to present the correct service token headers.Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark