cloudflare · maxvp · Feb 26, 2025 · Feb 25, 2025 · Feb 25, 2025 · Feb 25, 2025
@@ -73,9 +73,8 @@ If there is an issue with your SSO IdP provider, you can add an alternate IdP us
 1. [Add](/api/resources/zero_trust/subresources/identity_providers/methods/create/) one-time PIN login:
 
 ```bash title="cURL command"
-curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers' \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "type": "onetimepin",
@@ -86,9 +85,8 @@ curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity
 2. [Get](/api/resources/zero_trust/subresources/access/subresources/applications/methods/list/) the `id` of the `dash_sso` Access application. You can use [`jq`](https://jqlang.github.io/jq/download/) to quickly find the correct application:
 
 ```bash title="cURL command"
-curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl 'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps' \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 | jq '.result[] | select(.type == "dash_sso")'
 ```
 
@@ -106,9 +104,8 @@ curl 'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps' \
 
 ```bash title="cURL command"
 curl --request PUT \
-'https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/apps/3537a672-e4d8-4d89-aab9-26cb622918a1' \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "id": "3537a672-e4d8-4d89-aab9-26cb622918a1",
@@ -127,9 +124,8 @@ The following API calls will disable SSO enforcement for an account. This action
 1. Get your SSO `connector_id`:
 
 ```bash title="cURL command"
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>"
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
 ```
 
 ```json title="Response"
@@ -153,9 +149,8 @@ curl https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connector
 
 ```bash title="cURL command"
 curl --request PATCH \
-'https://api.cloudflare.com/client/v4/accounts/{account_id}/sso/v2/connectors/2828' \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+'https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/sso/v2/connectors/2828' \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "sso_connector_status": "DIS"

@@ -114,9 +114,8 @@ Currently, authentication tokens can only be generated through the API. You can
 ### 1. Create a service token for the account
 
 ```bash
-curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/service_tokens" \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/service_tokens" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"name":"ACME Corporation service token"}'
 ```
@@ -148,12 +147,11 @@ Save the service token's `client_id`, `client_secret`, and `id`.
 
 ```bash
 curl --request PUT \
-"https://api.cloudflare.com/client/v4/accounts/{account_id}/access/organizations/doh/{service_token_id}" \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>"
+"https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/organizations/doh/$SERVICE_TOKEN_ID" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
 ```
 
-If you get an `access.api.error.service_token_not_found` error, check that `{service_token_id}` is the value of `id` and not `client_id`.
+If you get an `access.api.error.service_token_not_found` error, check that `$SERVICE_TOKEN_ID` is the value of `id` and not `client_id`.
 
 <Details header="Example response">
 
@@ -181,9 +179,8 @@ If you get an `access.api.error.service_token_not_found` error, check that `{ser
 Create a new user and optionally add them to a group.
 
 ```bash
-curl "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/users" \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/users" \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "name": "John Doe",

@@ -64,7 +64,7 @@ https://<SUBDOMAIN>.proxy.cloudflare-gateway.com
 
    ```bash
    curl https://api.cloudflare.com/client/v4/accounts/<ACCOUNT_ID>/gateway/proxy_endpoints \
-   --header "Authorization: Bearer <API_TOKEN>" \
+   --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    --header "Content-Type: application/json" \
    --data '{"name": "any_name", "ips": ["<PUBLIC_IP>", "<PUBLIC_IP2>", "<PUBLIC_IP3>"]}'
    ```
@@ -211,8 +211,8 @@ To get the domain of a proxy endpoint:
 1. Use the [List proxy endpoints](/api/resources/zero_trust/subresources/gateway/subresources/proxy_endpoints/methods/list/) operation to get a list of your proxy endpoints and their details. For example:
 
    ```bash
-   curl https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/proxy_endpoints \
-   --header "Authorization: Bearer <API_TOKEN>"
+   curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/proxy_endpoints \
+   --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
    ```
 
    ```json {8} output

@@ -35,9 +35,8 @@ Your profile will appear in the **Profile settings** list. You can rearrange the
 Send a `POST` request to the [Devices endpoint](/api/resources/zero_trust/subresources/devices/subresources/policies/subresources/custom/methods/create/):
 
 ```bash
-curl https://api.cloudflare.com/client/v4/accounts/{account_id}/devices/policy \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/devices/policy \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{
   "allow_mode_switch": false,

@@ -209,9 +209,9 @@ To rotate a tunnel token:
 	2. Make a `PATCH` request to the [Cloudflare Tunnel](/api/resources/zero_trust/subresources/tunnels/methods/edit/) endpoint:
 		```sh
 		curl --request PATCH \
-		https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id} \
+		https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID \
 		--header 'Content-Type: application/json' \
-		--header "Authorization: Bearer <API_TOKEN>" \
+		--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 		--data '{
 			"name": "Example tunnel",
 			"tunnel_secret": "AQIDBAUGBwgBAgMEBQYHCAECAwQFBgcIAQIDBAUGBwg="
@@ -280,8 +280,8 @@ If your tunnel token is compromised, we recommend taking the following steps:
 2. [Delete all connections](/api/resources/zero_trust/subresources/tunnels/subresources/connections/methods/delete/) between `cloudflared` and Cloudflare:
 	```sh
 	curl --request DELETE \
-	https://api.cloudflare.com/client/v4/accounts/{account_id}/cfd_tunnel/{tunnel_id}/connections \
-	--header "Authorization: Bearer <API_TOKEN>"
+	https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/cfd_tunnel/$TUNNEL_ID/connections \
+	--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN"
 	```
 
 	This will clean up any unauthorized connections and prevent users from connecting to your network.

@@ -13,7 +13,10 @@ import { Tabs, TabItem, Badge, Render } from "~/components";
 
 [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/) provides granular control over how users can connect to your SSH servers. This feature uses the same deployment model as [WARP-to-Tunnel](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-warp-to-tunnel/) but unlocks more policy options and command logging functionality.
 
-<Render file="access/short-lived-certs-intro" params={{ intro: "Furthermore, Access for Infrastructure replaces" }} />
+<Render
+	file="access/short-lived-certs-intro"
+	params={{ intro: "Furthermore, Access for Infrastructure replaces" }}
+/>
 
 ## 1. Connect the server to Cloudflare
 
@@ -31,8 +34,7 @@ To connect your devices to Cloudflare:
 
 ## 3. Route server IPs through WARP
 
-<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "SSH server"}} />
-
+<Render file="tunnel/warp-to-tunnel-route-ips" params={{ one: "SSH server" }} />
 
 ## 4. Add a target
 
@@ -55,9 +57,11 @@ To generate a Cloudflare SSH CA and get its public key:
 <Render file="ssh/ssh-proxy-ca" />
 
 ### Save the public key
+
 <Render file="ssh/public-key" />
 
 ### Modify your SSHD config
+
 <Render file="ssh/modify-sshd" />
 
 :::note
@@ -66,9 +70,11 @@ For certain distributions, such as Amazon Linux 1 (based on RHEL), the certifica
 ```sh
 chmod 600 /etc/ssh/ca.pub
 ```
+
 :::
 
 ### Restart your SSH server
+
 <Render file="ssh/restart-server" />
 
 ## 7. Connect as a user
@@ -112,13 +118,13 @@ Cloudflare will stop logging SSH commands to your targets, as well as any comman
 To delete the SSH encryption public key using the [API](/api/resources/zero_trust/subresources/gateway/subresources/audit_ssh_settings/methods/update/):
 
 ```sh
-curl --request PUT https://api.cloudflare.com/client/v4/accounts/{account_id}/gateway/audit_ssh_settings \
---header "X-Auth-Email: <EMAIL>" \
---header "X-Auth-Key: <API_KEY>" \
+curl --request PUT https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/gateway/audit_ssh_settings \
+--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
 --data '{
   "public_key": ""
 }'
 ```
+
 </TabItem>
 </Tabs>
 

@@ -19,31 +19,31 @@ The following Entra ID values are required to set up the integration:
 
 To retrieve those values:
 
-1. Log in to the [Azure dashboard](https://portal.azure.com/).
+1.  Log in to the [Azure dashboard](https://portal.azure.com/).
 
-2. Go to **All services** > **Microsoft Entra ID**.
+2.  Go to **All services** > **Microsoft Entra ID**.
 
-3. In the sidebar, go to **Manage** > **Enterprise applications**.
+3.  In the sidebar, go to **Manage** > **Enterprise applications**.
 
-4. Select **New application**, then select **Create your own application**.
+4.  Select **New application**, then select **Create your own application**.
 
-5. Name your application.
+5.  Name your application.
 
-6. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**.
+6.  Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**.
 
-7. Under **Redirect URI**, select the _Web_ platform and enter the following URL:
+7.  Under **Redirect URI**, select the _Web_ platform and enter the following URL:
 
-   ```txt
-   https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
-   ```
+    ```txt
+    https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback
+    ```
 
-   You can find your team name in Zero Trust under **Settings** > **Custom Pages**.
+    You can find your team name in Zero Trust under **Settings** > **Custom Pages**.
 
-   ![Registering an application in Azure](~/assets/images/cloudflare-one/identity/azure/name-app.png)
+    ![Registering an application in Azure](~/assets/images/cloudflare-one/identity/azure/name-app.png)
 
-8. Select **Register**.
+8.  Select **Register**.
 
-9. Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**.
+9.  Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**.
 
 10. Select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**.
 
@@ -53,11 +53,9 @@ To retrieve those values:
 
 12. Name the client secret and choose an expiration period.
 
-:::note
-
-When the client secret expires, users will be unable to log in through Access. Take note of your expiry date to prevent login errors and renew your client secret when necessary.
-
-:::
+    :::note
+    When the client secret expires, users will be unable to log in through Access. Take note of your expiry date to prevent login errors and renew your client secret when necessary.
+    :::
 
 13. After the client secret is created, copy its **Value** field. Store the client secret in a safe place, as it can only be viewed immediately after creation.
 
@@ -118,40 +116,42 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha
 
 </TabItem> <TabItem label="API">
 
-1. [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
-		| Type    | Item             | Permission |
-		| ------- | ---------------- | ---------- |
-		| Account | Access: Organizations, Identity Providers, and Groups   | Edit    |
-
-2. Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint:
-
-		```sh
-		curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \
-		--header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-		--data '{
-			"name": "Entra ID example",
-			"type": "azureAD",
-			"config": {
-			  "client_id": "<your client id>",
-		    "client_secret": "<your client secret>",
-		    "directory_id": "<your azure directory uuid>",
-		    "support_groups": true
-			}
-		}'
-		```
+1.  [Create an API token](/fundamentals/api/get-started/create-token/) with the following permissions:
+
+        | Type    | Item                                                  | Permission |
+        | ------- | ----------------------------------------------------- | ---------- |
+        | Account | Access: Organizations, Identity Providers, and Groups | Edit       |
+
+2.  Make a `POST` request to the [Identity Providers](/api/resources/zero_trust/subresources/identity_providers/methods/create/) endpoint:
+
+        ```sh
+        curl https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers \
+        --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
+        --data '{
+        	"name": "Entra ID example",
+        	"type": "azureAD",
+        	"config": {
+        	  "client_id": "<your client id>",
+            "client_secret": "<your client secret>",
+            "directory_id": "<your azure directory uuid>",
+            "support_groups": true
+        	}
+        }'
+        ```
 
 </TabItem> <TabItem label="Terraform">
 
 :::note[Provider versions]
 The following example requires Cloudflare provider version `>=4.40.0`.
 :::
 
-1. Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
-	- `Access: Organizations, Identity Providers, and Groups Write`
+1.  Add the following permission to your [`cloudflare_api_token`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/api_token):
+
+    - `Access: Organizations, Identity Providers, and Groups Write`
 
-2. Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
+2.  Configure the [`cloudflare_zero_trust_access_identity_provider`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zero_trust_access_identity_provider) resource:
 
-		<Render file="access/entra-id-terraform" />
+        <Render file="access/entra-id-terraform" />
 
 </TabItem> </Tabs>
 
@@ -185,7 +185,7 @@ The Microsoft Entra ID integration allows you to synchronize IdP groups and auto
 
 <Render
 	file="access/enable-scim-on-dashboard"
-	params={{ idp: "Entra ID", supportgroups: "Support groups"}}
+	params={{ idp: "Entra ID", supportgroups: "Support groups" }}
 />
 
 ### 2. Configure SCIM in Entra ID
@@ -274,11 +274,12 @@ Access and Gateway policies for an Entra group will also apply to all [nested gr
 You can require users to re-enter their credentials into Entra ID whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting:
 
 1. Make a `GET` request to the [Identity Providers endpoint](/api/resources/zero_trust/subresources/identity_providers/) and copy the response for the Entra ID identity provider.
-2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example,
+2. [Update the Entra ID identity provider](/api/resources/zero_trust/subresources/identity_providers/methods/update/) using a `PUT` request. In the request body, include all existing configurations and set the `prompt` parameter to either `login` or `select_account`. For example:
+
    ```sh {17}
    curl --request PUT \
-   https://api.cloudflare.com/client/v4/accounts/{account_id}/access/identity_providers/{identity_provider_id} \
-   --header "Authorization: Bearer <API_TOKEN>" \
+   https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/access/identity_providers/$IDENTITY_PROVIDER_ID \
+   --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
    --header "Content-Type: application/json" \
    --data '{
    		"id": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",