cloudflare · ranbel · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025 · Oct 23, 2025
@@ -2382,6 +2382,10 @@
 
 # Cloudflare One nav revamp
 /cloudflare-one/connections/ /cloudflare-one/ 301
+/cloudflare-one/identity/users/ /cloudflare-one/team-and-resources/users/ 301
+/cloudflare-one/identity/users/session-management/ /cloudflare-one/team-and-resources/users/session-management/ 301
+/cloudflare-one/identity/users/seat-management/ /cloudflare-one/team-and-resources/users/seat-management/ 301
+/cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301
@@ -2391,7 +2395,7 @@
 /cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301
 /cloudflare-one/identity/idp-integration/* /cloudflare-one/integrations/identity-providers/:splat 301
 /cloudflare-one/identity/devices/service-providers/* /cloudflare-one/integrations/service-providers/:splat 301
-/cloudflare-one/applications/configure-apps/* /cloudflare-one/access-controls/applications/configure-apps/:splat 301
+/cloudflare-one/applications/configure-apps/* /cloudflare-one/access-controls/applications/http-apps/:splat 301
 /cloudflare-one/applications/non-http/* /cloudflare-one/access-controls/applications/non-http/:splat 301
 
 # Learning paths

@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-[Access for SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
+[Access for SaaS applications](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
 
 **SAML and OIDC Field Additions**
 

@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-[Cloudflare Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](/cloudflare-one/insights/logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.
+[Cloudflare Zero Trust SCIM provisioning](/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](/cloudflare-one/insights/logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.
 
 SCIM logs can be found on the Zero Trust Dashboard under **Logs** -> **SCIM provisioning**.
 

@@ -8,6 +8,6 @@ products:
 
 You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/).
 
-[Self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
+[Self-hosted applications](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
 
 For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog.
@@ -8,7 +8,7 @@ products:
 
 ![MCP server portal](~/assets/images/changelog/access/mcp-server-portal.png)
 
-An [MCP server portal](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
+An [MCP server portal](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
 
 - **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
 - **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.

@@ -81,7 +81,7 @@ Remember — [authentication is different from authorization](https://www.cloud
 
 You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/access-controls/policies/).
 
-To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
+To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
 
 ### (3) Third-party OAuth Provider
 

@@ -5,7 +5,7 @@ tags:
   - MCP
 sidebar:
   order: 101
-external_link: /cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/
+external_link: /cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/
 description: Centralize multiple MCP servers onto a single endpoint and customize the tools, prompts, and resources available to users.
 
 ---
@@ -25,4 +25,4 @@ Cloudflare Access provides visibility and control over who has access to your [c
 5. Select **Add public hostname**.
 6. For **Input method**, select _Custom_.
 7. In **Hostname**, enter your custom hostname (for example, `mycustomhostname.com`).
-8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
+8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application.
@@ -13,12 +13,12 @@ Cloudflare Access allows you to secure your web applications by acting as an ide
 
 You can protect the following types of web applications:
 
-- [**SaaS applications**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
+- [**SaaS applications**](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
 
 - **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
-  - [**Public hostname applications**](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
+  - [**Public hostname applications**](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
   - [**Private network applications**](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).
 
-- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
+- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
 
 - [**Cloudflare Dashboard SSO**](/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
@@ -10,7 +10,7 @@ sidebar:
 
 import { Render, GlossaryTooltip, APIRequest } from "~/components";
 
-Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
+Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
 
 For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>.
 
@@ -40,11 +40,11 @@ This guide covers how to use the Cloudflare API to link a self-hosted applicatio
 
 ## Prerequisites
 
-- A [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/)
+- A [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/)
 
 ## 1. Secure the MCP server with Access for SaaS
 
-The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
+The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
 
 ## 2. Get the SaaS application ID
 

@@ -41,7 +41,7 @@ To add an MCP server:
 7. Add [Access policies](/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals.
 
    :::caution
-   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
+   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
    :::
 
 8. Select **Save and connect server**.

@@ -103,7 +103,7 @@ https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/callback
    - **Authorization endpoint**
    - **Key endpoint**
 
-8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
+8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
 9. Configure [Access policies](/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server.
 10. Save the application.
 
@@ -134,7 +134,7 @@ https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/callback
    />
 
 2. Copy the `client_id` and `client_secret` returned in the response.
-3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
+3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
 
 </TabItem>
 </Tabs>

@@ -54,7 +54,7 @@ Next, we will obtain **Identity provider metadata** from Zero Trust.
 
 :::caution[Important]
 
-Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/identity/users/scim/). Make sure that:
+Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/). Make sure that:
 
 1. Users are created in both your identity provider and AWS.
 2. Users have matching usernames in your identity provider and AWS.

@@ -103,7 +103,7 @@ To add additional OIDC claims onto the ID token sent to your SaaS application, c
 
 ### Access token lifetime
 
-The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/identity/users/session-management/), otherwise the global session would take precedence.
+The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/team-and-resources/users/session-management/), otherwise the global session would take precedence.
 
 :::note
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,7 @@ products: @@
       - access
     ---
-    [Access for SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
+    [Access for SaaS applications](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
     **SAML and OIDC Field Additions**
@@ Expand Down @@