cloudflare · ranbel · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025
@@ -2391,6 +2391,8 @@
 /cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301
 /cloudflare-one/identity/idp-integration/* /cloudflare-one/integrations/identity-providers/:splat 301
 /cloudflare-one/identity/devices/service-providers/* /cloudflare-one/integrations/service-providers/:splat 301
+/cloudflare-one/applications/configure-apps/* /cloudflare-one/access-controls/applications/configure-apps/:splat 301
+/cloudflare-one/applications/non-http/* /cloudflare-one/access-controls/applications/non-http/:splat 301
 
 # Learning paths
 

@@ -8,7 +8,7 @@ products:
 
 Organizations can now eliminate long-lived credentials from their SSH setup and enable strong multi-factor authentication for SSH access, similar to other Access applications, all while generating access and command logs.
 
-SSH with [Access for Infrastructure](/cloudflare-one/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-warp-to-tunnel/).
+SSH with [Access for Infrastructure](/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/) uses short-lived SSH certificates from Cloudflare, eliminating SSH key management and reducing the security risks associated with lost or stolen keys. It also leverages a common deployment model for Cloudflare One customers: [WARP-to-Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/ssh/ssh-warp-to-tunnel/).
 
 SSH with Access for Infrastructure enables you to:
 

@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-[Access for SaaS applications](/cloudflare-one/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
+[Access for SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
 
 **SAML and OIDC Field Additions**
 

@@ -8,6 +8,6 @@ products:
 
 You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/).
 
-[Self-hosted applications](/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
+[Self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
 
 For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog.
@@ -8,7 +8,7 @@ products:
 
 ![MCP server portal](~/assets/images/changelog/access/mcp-server-portal.png)
 
-An [MCP server portal](/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
+An [MCP server portal](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
 
 - **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
 - **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.

@@ -12,17 +12,17 @@ import { Aside } from '@astrojs/starlight/components';
 Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.
 
 ### What's New
-- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/applications/)**: Grant admin permissions to specific Access Applications.  
-- **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/identity/)**: Grant admin permissions to individual Identity Providers.  
-- **[Targets](https://developers.cloudflare.com/cloudflare-one/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets
+- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/applications/)**: Grant admin permissions to specific Access Applications.
+- **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/identity/)**: Grant admin permissions to individual Identity Providers.
+- **[Targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets
 
-![Updated Permissions Policy UX](~/assets/images/changelog/fundamentals/2025-10-01-fine-grained-permissioning-ux.png) 
+![Updated Permissions Policy UX](~/assets/images/changelog/fundamentals/2025-10-01-fine-grained-permissioning-ux.png)
 
 <Aside>
 
-During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release. 
-- **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target  
-- **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target  
+During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release.
+- **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target
+- **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target
 
 </Aside>
 

@@ -81,7 +81,7 @@ Remember — [authentication is different from authorization](https://www.cloud
 
 You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/access-controls/policies/).
 
-To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
 
 ### (3) Third-party OAuth Provider
 

@@ -5,7 +5,7 @@ tags:
   - MCP
 sidebar:
   order: 101
-external_link: /cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/
+external_link: /cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/
 description: Centralize multiple MCP servers onto a single endpoint and customize the tools, prompts, and resources available to users.
 
 ---
@@ -25,4 +25,4 @@ Cloudflare Access provides visibility and control over who has access to your [c
 5. Select **Add public hostname**.
 6. For **Input method**, select _Custom_.
 7. In **Hostname**, enter your custom hostname (for example, `mycustomhostname.com`).
-8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to publish the application.
+8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
@@ -0,0 +1,24 @@
+---
+pcx_content_type: concept
+title: Add web applications
+sidebar:
+  order: 1
+---
+
+import { Render } from "~/components";
+
+Cloudflare Access allows you to secure your web applications by acting as an identity aggregator, or proxy. You can use signals from your existing identity providers (IdPs), device posture providers, and [other rules](/cloudflare-one/access-controls/policies/#selectors) to control who can log in to the application.
+
+![Cloudflare Access verifies a user's identity before granting access to your application.](~/assets/images/cloudflare-one/applications/diagram-saas.jpg)
+
+You can protect the following types of web applications:
+
+- [**SaaS applications**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
+
+- **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
+  - [**Public hostname applications**](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
+  - [**Private network applications**](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).
+
+- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
+
+- [**Cloudflare Dashboard SSO**](/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
@@ -10,7 +10,7 @@ sidebar:
 
 import { Render, GlossaryTooltip, APIRequest } from "~/components";
 
-Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
+Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
 
 For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>.
 
@@ -40,11 +40,11 @@ This guide covers how to use the Cloudflare API to link a self-hosted applicatio
 
 ## Prerequisites
 
-- A [self-hosted Access application](/cloudflare-one/applications/configure-apps/self-hosted-public-app/)
+- A [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/)
 
 ## 1. Secure the MCP server with Access for SaaS
 
-The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
 
 ## 2. Get the SaaS application ID
 

@@ -41,7 +41,7 @@ To add an MCP server:
 7. Add [Access policies](/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals.
 
    :::caution
-   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/).
+   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
    :::
 
 8. Select **Save and connect server**.

@@ -103,7 +103,7 @@ https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/callback
    - **Authorization endpoint**
    - **Key endpoint**
 
-8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
+8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
 9. Configure [Access policies](/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server.
 10. Save the application.
 
@@ -134,7 +134,7 @@ https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/callback
    />
 
 2. Copy the `client_id` and `client_secret` returned in the response.
-3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
+3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
 
 </TabItem>
 </Tabs>

@@ -10,6 +10,6 @@ import { DirectoryListing } from "~/components"
 
 Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies.
 
-Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas/) or [generic OIDC](/cloudflare-one/applications/configure-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation.
+Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-saml-saas/) or [generic OIDC](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation.
 
 <DirectoryListing />
@@ -10,7 +10,7 @@ import { Render } from "~/components";
 
 You can securely publish internal tools and applications by adding Cloudflare Access as an authentication layer between the end user and your origin server.
 
-This guide covers how to make a web application accessible to anyone on the Internet via a public hostname. If you would like to make the application available over a private IP or hostname, refer to [Add a self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/).
+This guide covers how to make a web application accessible to anyone on the Internet via a public hostname. If you would like to make the application available over a private IP or hostname, refer to [Add a self-hosted private application](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/).
 
 ## Prerequisites
 

@@ -0,0 +1,13 @@
+---
+pcx_content_type: navigation
+title: Applications
+sidebar:
+  order: 1
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />
+
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,7 @@ products: @@
       - access
     ---
-    [Access for SaaS applications](/cloudflare-one/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
+    [Access for SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
     **SAML and OIDC Field Additions**
@@ Expand Down @@