import { APIResource } from "../../../resource.js"; import * as Core from "../../../core.js"; import * as DOHAPI from "./doh.js"; import { DOH, DOHGetParams, DOHGetResponse, DOHUpdateParams, DOHUpdateResponse } from "./doh.js"; export declare class Organizations extends APIResource { doh: DOHAPI.DOH; /** * Sets up a Zero Trust organization for your account or zone. * * @example * ```ts * const organization = * await client.zeroTrust.organizations.create({ * auth_domain: 'test.cloudflareaccess.com', * name: 'Widget Corps Internal Applications', * account_id: 'account_id', * }); * ``` */ create(params: OrganizationCreateParams, options?: Core.RequestOptions): Core.APIPromise; /** * Updates the configuration for your Zero Trust organization. * * @example * ```ts * const organization = * await client.zeroTrust.organizations.update({ * account_id: 'account_id', * }); * ``` */ update(params: OrganizationUpdateParams, options?: Core.RequestOptions): Core.APIPromise; /** * Returns the configuration for your Zero Trust organization. * * @example * ```ts * const organization = * await client.zeroTrust.organizations.list({ * account_id: 'account_id', * }); * ``` */ list(params?: OrganizationListParams, options?: Core.RequestOptions): Core.APIPromise; list(options?: Core.RequestOptions): Core.APIPromise; /** * Revokes a user's access across all applications. * * @example * ```ts * const response = * await client.zeroTrust.organizations.revokeUsers({ * email: 'test@example.com', * account_id: 'account_id', * }); * ``` */ revokeUsers(params: OrganizationRevokeUsersParams, options?: Core.RequestOptions): Core.APIPromise; } export interface LoginDesign { /** * The background color on your login page. */ background_color?: string; /** * The text at the bottom of your login page. */ footer_text?: string; /** * The text at the top of your login page. */ header_text?: string; /** * The URL of the logo on your login page. */ logo_path?: string; /** * The text color on your login page. */ text_color?: string; } export interface LoginDesignParam { /** * The background color on your login page. */ background_color?: string; /** * The text at the bottom of your login page. */ footer_text?: string; /** * The text at the top of your login page. */ header_text?: string; /** * The URL of the logo on your login page. */ logo_path?: string; /** * The text color on your login page. */ text_color?: string; } export interface Organization { /** * When set to true, users can authenticate via WARP for any application in your * organization. Application settings will take precedence over this value. */ allow_authenticate_via_warp?: boolean; /** * The unique subdomain assigned to your Zero Trust organization. */ auth_domain?: string; /** * When set to `true`, users skip the identity provider selection step during * login. */ auto_redirect_to_identity?: boolean; custom_pages?: Organization.CustomPages; /** * Determines whether to deny all requests to Cloudflare-protected resources that * lack an associated Access application. If enabled, you must explicitly configure * an Access application and policy to allow traffic to your Cloudflare-protected * resources. For domains you want to be public across all subdomains, add the * domain to the `deny_unmatched_requests_exempted_zone_names` array. */ deny_unmatched_requests?: boolean; /** * Contains zone names to exempt from the `deny_unmatched_requests` feature. * Requests to a subdomain in an exempted zone will block unauthenticated traffic * by default if there is a configured Access application and policy that matches * the request. */ deny_unmatched_requests_exempted_zone_names?: Array; /** * Lock all settings as Read-Only in the Dashboard, regardless of user permission. * Updates may only be made via the API or Terraform for this account when enabled. */ is_ui_read_only?: boolean; login_design?: LoginDesign; /** * Configures multi-factor authentication (MFA) settings for an organization. */ mfa_config?: Organization.MfaConfig; /** * Determines whether global MFA settings apply to applications by default. The * organization must have MFA enabled with at least one authentication method and a * session duration configured. */ mfa_required_for_all_apps?: boolean; /** * Configures SSH PIV key requirements for MFA using hardware security keys. */ mfa_ssh_piv_key_requirements?: Organization.MfaSSHPivKeyRequirements; /** * The name of your Zero Trust organization. */ name?: string; /** * The amount of time that tokens issued for applications will be valid. Must be in * the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs), ms, s, m, * h. */ session_duration?: string; /** * A description of the reason why the UI read only field is being toggled. */ ui_read_only_toggle_reason?: string; /** * The amount of time a user seat is inactive before it expires. When the user seat * exceeds the set time of inactivity, the user is removed as an active seat and no * longer counts against your Teams seat count. Minimum value for this setting is 1 * month (730h). Must be in the format `300ms` or `2h45m`. Valid time units are: * `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. */ user_seat_expiration_inactive_time?: string; /** * The amount of time that tokens issued for applications will be valid. Must be in * the format `30m` or `2h45m`. Valid time units are: m, h. */ warp_auth_session_duration?: string; } export declare namespace Organization { interface CustomPages { /** * The uid of the custom page to use when a user is denied access after failing a * non-identity rule. */ forbidden?: string; /** * The uid of the custom page to use when a user is denied access. */ identity_denied?: string; } /** * Configures multi-factor authentication (MFA) settings for an organization. */ interface MfaConfig { /** * Lists the MFA methods that users can authenticate with. */ allowed_authenticators?: Array<'totp' | 'biometrics' | 'security_key' | 'ssh_piv_key'>; /** * Allows a user to skip MFA via Authentication Method Reference (AMR) matching * when the AMR claim provided by the IdP the user used to authenticate contains * "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 * days). */ amr_matching_session_duration?: string; /** * Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs. */ required_aaguids?: string; /** * Defines the duration of an MFA session. Must be in minutes (m) or hours (h). * Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. */ session_duration?: string; } /** * Configures SSH PIV key requirements for MFA using hardware security keys. */ interface MfaSSHPivKeyRequirements { /** * Defines when a PIN is required to use the SSH key. Valid values: `never` (no PIN * required), `once` (PIN required once per session), `always` (PIN required for * each use). */ pin_policy?: 'never' | 'once' | 'always'; /** * Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher * validated device. */ require_fips_device?: boolean; /** * Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. * Ed25519 has a fixed key size and does not accept this parameter. */ ssh_key_size?: Array<256 | 384 | 521 | 2048 | 3072 | 4096>; /** * Specifies the allowed SSH key types. Valid values are `ecdsa`, `ed25519`, and * `rsa`. */ ssh_key_type?: Array<'ecdsa' | 'ed25519' | 'rsa'>; /** * Defines when physical touch is required to use the SSH key. Valid values: * `never` (no touch required), `always` (touch required for each use), `cached` * (touch cached for 15 seconds). */ touch_policy?: 'never' | 'always' | 'cached'; } } export type OrganizationRevokeUsersResponse = true | false; export interface OrganizationCreateParams { /** * Body param: The unique subdomain assigned to your Zero Trust organization. */ auth_domain: string; /** * Body param: The name of your Zero Trust organization. */ name: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: When set to true, users can authenticate via WARP for any * application in your organization. Application settings will take precedence over * this value. */ allow_authenticate_via_warp?: boolean; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. */ auto_redirect_to_identity?: boolean; /** * Body param: Determines whether to deny all requests to Cloudflare-protected * resources that lack an associated Access application. If enabled, you must * explicitly configure an Access application and policy to allow traffic to your * Cloudflare-protected resources. For domains you want to be public across all * subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` * array. */ deny_unmatched_requests?: boolean; /** * Body param: Contains zone names to exempt from the `deny_unmatched_requests` * feature. Requests to a subdomain in an exempted zone will block unauthenticated * traffic by default if there is a configured Access application and policy that * matches the request. */ deny_unmatched_requests_exempted_zone_names?: Array; /** * Body param: Lock all settings as Read-Only in the Dashboard, regardless of user * permission. Updates may only be made via the API or Terraform for this account * when enabled. */ is_ui_read_only?: boolean; /** * Body param */ login_design?: LoginDesignParam; /** * Body param: Configures multi-factor authentication (MFA) settings for an * organization. */ mfa_config?: OrganizationCreateParams.MfaConfig; /** * Body param: Determines whether global MFA settings apply to applications by * default. The organization must have MFA enabled with at least one authentication * method and a session duration configured. */ mfa_required_for_all_apps?: boolean; /** * Body param: Configures SSH PIV key requirements for MFA using hardware security * keys. */ mfa_ssh_piv_key_requirements?: OrganizationCreateParams.MfaSSHPivKeyRequirements; /** * Body param: The amount of time that tokens issued for applications will be * valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us * (or µs), ms, s, m, h. */ session_duration?: string; /** * Body param: A description of the reason why the UI read only field is being * toggled. */ ui_read_only_toggle_reason?: string; /** * Body param: The amount of time a user seat is inactive before it expires. When * the user seat exceeds the set time of inactivity, the user is removed as an * active seat and no longer counts against your Teams seat count. Minimum value * for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. * Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. */ user_seat_expiration_inactive_time?: string; /** * Body param: The amount of time that tokens issued for applications will be * valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. */ warp_auth_session_duration?: string; } export declare namespace OrganizationCreateParams { /** * Configures multi-factor authentication (MFA) settings for an organization. */ interface MfaConfig { /** * Lists the MFA methods that users can authenticate with. */ allowed_authenticators?: Array<'totp' | 'biometrics' | 'security_key' | 'ssh_piv_key'>; /** * Allows a user to skip MFA via Authentication Method Reference (AMR) matching * when the AMR claim provided by the IdP the user used to authenticate contains * "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 * days). */ amr_matching_session_duration?: string; /** * Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs. */ required_aaguids?: string; /** * Defines the duration of an MFA session. Must be in minutes (m) or hours (h). * Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. */ session_duration?: string; } /** * Configures SSH PIV key requirements for MFA using hardware security keys. */ interface MfaSSHPivKeyRequirements { /** * Defines when a PIN is required to use the SSH key. Valid values: `never` (no PIN * required), `once` (PIN required once per session), `always` (PIN required for * each use). */ pin_policy?: 'never' | 'once' | 'always'; /** * Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher * validated device. */ require_fips_device?: boolean; /** * Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. * Ed25519 has a fixed key size and does not accept this parameter. */ ssh_key_size?: Array<256 | 384 | 521 | 2048 | 3072 | 4096>; /** * Specifies the allowed SSH key types. Valid values are `ecdsa`, `ed25519`, and * `rsa`. */ ssh_key_type?: Array<'ecdsa' | 'ed25519' | 'rsa'>; /** * Defines when physical touch is required to use the SSH key. Valid values: * `never` (no touch required), `always` (touch required for each use), `cached` * (touch cached for 15 seconds). */ touch_policy?: 'never' | 'always' | 'cached'; } } export interface OrganizationUpdateParams { /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Body param: When set to true, users can authenticate via WARP for any * application in your organization. Application settings will take precedence over * this value. */ allow_authenticate_via_warp?: boolean; /** * Body param: The unique subdomain assigned to your Zero Trust organization. */ auth_domain?: string; /** * Body param: When set to `true`, users skip the identity provider selection step * during login. */ auto_redirect_to_identity?: boolean; /** * Body param */ custom_pages?: OrganizationUpdateParams.CustomPages; /** * Body param: Determines whether to deny all requests to Cloudflare-protected * resources that lack an associated Access application. If enabled, you must * explicitly configure an Access application and policy to allow traffic to your * Cloudflare-protected resources. For domains you want to be public across all * subdomains, add the domain to the `deny_unmatched_requests_exempted_zone_names` * array. */ deny_unmatched_requests?: boolean; /** * Body param: Contains zone names to exempt from the `deny_unmatched_requests` * feature. Requests to a subdomain in an exempted zone will block unauthenticated * traffic by default if there is a configured Access application and policy that * matches the request. */ deny_unmatched_requests_exempted_zone_names?: Array; /** * Body param: Lock all settings as Read-Only in the Dashboard, regardless of user * permission. Updates may only be made via the API or Terraform for this account * when enabled. */ is_ui_read_only?: boolean; /** * Body param */ login_design?: LoginDesignParam; /** * Body param: Configures multi-factor authentication (MFA) settings for an * organization. */ mfa_config?: OrganizationUpdateParams.MfaConfig; /** * Body param: Determines whether global MFA settings apply to applications by * default. The organization must have MFA enabled with at least one authentication * method and a session duration configured. */ mfa_required_for_all_apps?: boolean; /** * Body param: Configures SSH PIV key requirements for MFA using hardware security * keys. */ mfa_ssh_piv_key_requirements?: OrganizationUpdateParams.MfaSSHPivKeyRequirements; /** * Body param: The name of your Zero Trust organization. */ name?: string; /** * Body param: The amount of time that tokens issued for applications will be * valid. Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us * (or µs), ms, s, m, h. */ session_duration?: string; /** * Body param: A description of the reason why the UI read only field is being * toggled. */ ui_read_only_toggle_reason?: string; /** * Body param: The amount of time a user seat is inactive before it expires. When * the user seat exceeds the set time of inactivity, the user is removed as an * active seat and no longer counts against your Teams seat count. Minimum value * for this setting is 1 month (730h). Must be in the format `300ms` or `2h45m`. * Valid time units are: `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`. */ user_seat_expiration_inactive_time?: string; /** * Body param: The amount of time that tokens issued for applications will be * valid. Must be in the format `30m` or `2h45m`. Valid time units are: m, h. */ warp_auth_session_duration?: string; } export declare namespace OrganizationUpdateParams { interface CustomPages { /** * The uid of the custom page to use when a user is denied access after failing a * non-identity rule. */ forbidden?: string; /** * The uid of the custom page to use when a user is denied access. */ identity_denied?: string; } /** * Configures multi-factor authentication (MFA) settings for an organization. */ interface MfaConfig { /** * Lists the MFA methods that users can authenticate with. */ allowed_authenticators?: Array<'totp' | 'biometrics' | 'security_key' | 'ssh_piv_key'>; /** * Allows a user to skip MFA via Authentication Method Reference (AMR) matching * when the AMR claim provided by the IdP the user used to authenticate contains * "mfa". Must be in minutes (m) or hours (h). Minimum: 0m. Maximum: 720h (30 * days). */ amr_matching_session_duration?: string; /** * Specifies a Cloudflare List of required FIDO2 authenticator device AAGUIDs. */ required_aaguids?: string; /** * Defines the duration of an MFA session. Must be in minutes (m) or hours (h). * Minimum: 0m. Maximum: 720h (30 days). Examples:`5m` or `24h`. */ session_duration?: string; } /** * Configures SSH PIV key requirements for MFA using hardware security keys. */ interface MfaSSHPivKeyRequirements { /** * Defines when a PIN is required to use the SSH key. Valid values: `never` (no PIN * required), `once` (PIN required once per session), `always` (PIN required for * each use). */ pin_policy?: 'never' | 'once' | 'always'; /** * Requires the SSH PIV key to be stored on a FIPS 140-2 Level 1 or higher * validated device. */ require_fips_device?: boolean; /** * Specifies the allowed SSH key sizes in bits. Valid sizes depend on key type. * Ed25519 has a fixed key size and does not accept this parameter. */ ssh_key_size?: Array<256 | 384 | 521 | 2048 | 3072 | 4096>; /** * Specifies the allowed SSH key types. Valid values are `ecdsa`, `ed25519`, and * `rsa`. */ ssh_key_type?: Array<'ecdsa' | 'ed25519' | 'rsa'>; /** * Defines when physical touch is required to use the SSH key. Valid values: * `never` (no touch required), `always` (touch required for each use), `cached` * (touch cached for 15 seconds). */ touch_policy?: 'never' | 'always' | 'cached'; } } export interface OrganizationListParams { /** * The Account ID to use for this endpoint. Mutually exclusive with the Zone ID. */ account_id?: string; /** * The Zone ID to use for this endpoint. Mutually exclusive with the Account ID. */ zone_id?: string; } export interface OrganizationRevokeUsersParams { /** * Body param: The email of the user to revoke. */ email: string; /** * Path param: The Account ID to use for this endpoint. Mutually exclusive with the * Zone ID. */ account_id?: string; /** * Path param: The Zone ID to use for this endpoint. Mutually exclusive with the * Account ID. */ zone_id?: string; /** * Query param: When set to `true`, all devices associated with the user will be * revoked. */ query_devices?: boolean; /** * Body param: When set to `true`, all devices associated with the user will be * revoked. */ body_devices?: boolean; /** * Body param: The uuid of the user to revoke. */ user_uid?: string; /** * Body param: When set to `true`, the user will be required to re-authenticate to * WARP for all Gateway policies that enforce a WARP client session duration. When * `false`, the user’s WARP session will remain active */ warp_session_reauth?: boolean; } export declare namespace Organizations { export { type LoginDesign as LoginDesign, type Organization as Organization, type OrganizationRevokeUsersResponse as OrganizationRevokeUsersResponse, type OrganizationCreateParams as OrganizationCreateParams, type OrganizationUpdateParams as OrganizationUpdateParams, type OrganizationListParams as OrganizationListParams, type OrganizationRevokeUsersParams as OrganizationRevokeUsersParams, }; export { DOH as DOH, type DOHUpdateResponse as DOHUpdateResponse, type DOHGetResponse as DOHGetResponse, type DOHUpdateParams as DOHUpdateParams, type DOHGetParams as DOHGetParams, }; } //# sourceMappingURL=organizations.d.ts.map