cloudflare · ranbel · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
@@ -2384,11 +2384,15 @@
 # Cloudflare One nav revamp
 /cloudflare-one/connections/ /cloudflare-one/ 301
 /cloudflare-one/identity/users/ /cloudflare-one/team-and-resources/users/ 301
-/cloudflare-one/identity/users/session-management/ /cloudflare-one/team-and-resources/users/session-management/ 301
+/cloudflare-one/identity/users/session-management/ /cloudflare-one/access-controls/access-settings/session-management/ 301
 /cloudflare-one/identity/users/seat-management/ /cloudflare-one/team-and-resources/users/seat-management/ 301
 /cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301
 /cloudflare-one/applications/login-page/ /cloudflare-one/reusable-components/custom-pages/access-login-page/ 301
 /cloudflare-one/applications/block-page/ /cloudflare-one/reusable-components/custom-pages/access-block-page/ 301
+/cloudflare-one/applications/app-library/ /cloudflare-one/team-and-resources/app-library/ 301
+/cloudflare-one/applications/bookmarks/ /cloudflare-one/access-controls/applications/bookmarks/ 301
+/cloudflare-one/applications/app-launcher/ /cloudflare-one/access-controls/access-settings/app-launcher/ 301
+/cloudflare-one/applications/ /cloudflare-one/access-controls/applications/http-apps/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301

@@ -12,7 +12,7 @@ import { Aside } from '@astrojs/starlight/components';
 Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.
 
 ### What's New
-- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/applications/)**: Grant admin permissions to specific Access Applications.
+- **[Access Applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications.
 - **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/identity/)**: Grant admin permissions to individual Identity Providers.
 - **[Targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets
 

@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: App Launcher
 sidebar:
-  order: 11
+  order: 1
 ---
 
 import { Render } from "~/components";

@@ -0,0 +1,13 @@
+---
+pcx_content_type: navigation
+title: Access settings
+sidebar:
+  order: 6
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components";
+
+<DirectoryListing />
+
@@ -2,7 +2,7 @@
 pcx_content_type: how-to
 title: Session management
 sidebar:
-  order: 3
+  order: 2
 ---
 
 import { GlossaryTooltip, Render } from "~/components";

@@ -58,7 +58,7 @@ Some SaaS applications provide the Redirect URL after you [configure the SSO pro
 
 13. Select **Next**.
 
-14. Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://<INSTANCE-NAME>.example-app.com`) but could be a different value.
+14. Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application. If **Show application in App Launcher** is enabled, then you must enter an **App Launcher URL**. The App Launcher URL is provided by the SaaS application. It may match the base URL portion of **Redirect URL** (`https://<INSTANCE-NAME>.example-app.com`) but could be a different value.
 
 15. <Render file="access/access-block-page" product="cloudflare-one" />
 
@@ -103,7 +103,7 @@ To add additional OIDC claims onto the ID token sent to your SaaS application, c
 
 ### Access token lifetime
 
-The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/team-and-resources/users/session-management/), otherwise the global session would take precedence.
+The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/access-controls/access-settings/session-management/), otherwise the global session would take precedence.
 
 :::note
 

@@ -54,7 +54,7 @@ If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace,
 
 13. Select **Next**.
 
-14. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+14. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
 
 15. <Render file="access/access-block-page" product="cloudflare-one" />
 

@@ -25,7 +25,7 @@ This guide covers how to configure [Grafana Cloud](https://grafana.com/docs/graf
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Grafana Cloud

@@ -29,7 +29,7 @@ You can also configure OIDC SSO for Grafana using a [configuration file](https:/
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret**, **Client ID**, **Token endpoint**, and **Authorization endpoint**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-grafana-domain>/login`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Grafana

@@ -32,7 +32,7 @@ This guide covers how to configure [Salesforce](https://help.salesforce.com/s/ar
    - **Token endpoint**
    - **User info endpoint**
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-domain>.my.salesforce.com`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<your-domain>.my.salesforce.com`.
 12. Save the application.
 
 ## 2. Add a SSO provider to Salesforce

@@ -25,7 +25,7 @@ This guide covers how to configure [ServiceNow](https://docs.servicenow.com/bund
 8. (Optional) Enable [Proof of Key Exchange (PKCE)](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
 9. Copy the **Client secret** and **Client ID**.
 10. Configure [Access policies](/cloudflare-one/access-controls/policies/) for the application.
-11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<INSTANCE-NAME>.service-now.com`.
+11. (Optional) In **Experience settings**, configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) by turning on **Enable App in App Launcher** and, in **App Launcher URL**, entering `https://<INSTANCE-NAME>.service-now.com`.
 12. Save the application.
 
 ## 2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow

@@ -102,7 +102,7 @@ To view all available filters, type `warp-cli target list --help`.
 
 ## Revoke a user's session
 
-To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/team-and-resources/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
+To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/access-controls/access-settings/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
 
 ## Infrastructure policy selectors
 

@@ -27,7 +27,7 @@ To create a private network application:
    If you would like to create a policy for an IP/CIDR range instead of a specific IP address, you can build a [Gateway Network policy](/cloudflare-one/traffic-policies/network-policies/) using the **Destination IP** selector.
    :::
 
-6. Configure your [App Launcher](/cloudflare-one/applications/app-launcher/) visibility and logo.
+6. Configure your [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) visibility and logo.
 
 7. Select **Next**. You will see two auto-generated Gateway Network policies: one that allows access to the destination IP and another that blocks access.
 

@@ -45,7 +45,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/acce
 
 9.  Select **Next**.
 
-10. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
+10. (Optional) Configure [App Launcher settings](/cloudflare-one/access-controls/access-settings/app-launcher/) for the application.
 
 11. <Render file="access/access-block-page" product="cloudflare-one" />
 

@@ -133,7 +133,7 @@ To require only one country and one email ending:
 
 When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/), [self-hosted](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/access-controls/applications/non-http/) applications.
 
-Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/team-and-resources/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
+Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/access-controls/access-settings/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
 
 | Selector                 | Description                                                                                                                                                                                                                               | Checked at login | Checked continuously<sup>1</sup> | Identity-based selector? |
 | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |

@@ -17,15 +17,15 @@ To create a reusable Access policy:
 2. Select **Add a policy**.
 3. Enter a **Policy name**.
 4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy.
-5. Choose a [**Session duration**](/cloudflare-one/team-and-resources/users/session-management/) for the policy.
+5. Choose a [**Session duration**](/cloudflare-one/access-controls/access-settings/session-management/) for the policy.
 6. Configure as many [**Rules**](/cloudflare-one/access-controls/policies/#rule-types) as needed.
 7. (Optional) Configure additional settings for users who match this policy:
    - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/).
    - [Purpose justificaton](/cloudflare-one/access-controls/policies/require-purpose-justification/)
    - [Temporary authentication](/cloudflare-one/access-controls/policies/temporary-auth/)
 8. Select **Save**.
 
-You can now add this policy to an [Access application](/cloudflare-one/applications/).
+You can now add this policy to an [Access application](/cloudflare-one/access-controls/applications/http-apps/).
 
 ## Edit a policy
 
@@ -48,7 +48,7 @@ To delete a reusable Access policy:
 
 ## Test your policies
 
-You can test your Access policies against all existing user identities in your Zero Trust organization.  For the policy tester to work, users must have logged into the [App Launcher](/cloudflare-one/applications/app-launcher/) or any other Access application at some point in time.
+You can test your Access policies against all existing user identities in your Zero Trust organization.  For the policy tester to work, users must have logged into the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) or any other Access application at some point in time.
 
 Cloudflare will use the most recent device that was authenticated with Access to test your policies.
 

@@ -17,7 +17,7 @@ With Cloudflare Access, you can require that users obtain approval before they c
 5. Turn on **Temporary authentication**.
 6. Enter the **Email addresses of the approvers**.
 	:::note
-	Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/applications/app-launcher/).
+	Your approvers must be authenticated by Access. If they do not have an active session, Access will verify their identity against your [App Launcher Access policy](/cloudflare-one/access-controls/access-settings/app-launcher/).
 	:::
 7. Save the policy.
 

@@ -33,4 +33,4 @@ To log out of an App Launcher session, go to:
 
 `<your-team-name>.cloudflareaccess.com/cdn-cgi/access/logout`
 
-For more information, refer to our [session management page](/cloudflare-one/team-and-resources/users/session-management/#log-out-as-a-user).
+For more information, refer to our [session management page](/cloudflare-one/access-controls/access-settings/session-management/#log-out-as-a-user).
@@ -16,7 +16,7 @@ You can sign up today at [this link](https://one.dash.cloudflare.com). Follow th
 
 ## What is a team domain/team name?
 
-Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `<your-team-name>.cloudflareaccess.com`. [Setting up a team domain](/cloudflare-one/setup/#create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](/cloudflare-one/applications/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in Zero Trust under **Settings** > **Custom Pages**.
+Your team domain is a unique subdomain assigned to your Cloudflare account, for example, `<your-team-name>.cloudflareaccess.com`. [Setting up a team domain](/cloudflare-one/setup/#create-a-zero-trust-organization) is an essential step in your Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the [App Launcher](/cloudflare-one/access-controls/access-settings/app-launcher/) — and will be able to make login requests to them. The customizable portion of your team domain is called **team name**. You can view your team name and team domain in Zero Trust under **Settings** > **Custom Pages**.
 
 | team name        | team domain                             |
 | ---------------- | --------------------------------------- |
Original file line number	Diff line number	Diff line change
Expand Up		@@ -33,4 +33,4 @@ To log out of an App Launcher session, go to:

		`<your-team-name>.cloudflareaccess.com/cdn-cgi/access/logout`

		For more information, refer to our [session management page](/cloudflare-one/team-and-resources/users/session-management/#log-out-as-a-user).
		For more information, refer to our [session management page](/cloudflare-one/access-controls/access-settings/session-management/#log-out-as-a-user).