[CF1 ] IA revamp: move Identity docs

public/__redirects

@@ -2393,6 +2393,15 @@
 /cloudflare-one/applications/bookmarks/ /cloudflare-one/access-controls/applications/bookmarks/ 301
 /cloudflare-one/applications/app-launcher/ /cloudflare-one/access-controls/access-settings/app-launcher/ 301
 /cloudflare-one/applications/ /cloudflare-one/access-controls/applications/http-apps/ 301
+/cloudflare-one/identity/ /cloudflare-one/integrations/identity-providers/ 301
+/cloudflare-one/identity/authorization-cookie/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/ 301
+/cloudflare-one/identity/authorization-cookie/validating-json/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/ 301
+/cloudflare-one/identity/authorization-cookie/application-token/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/ 301
+/cloudflare-one/identity/authorization-cookie/cors/ /cloudflare-one/access-controls/applications/http-apps/authorization-cookie/cors/ 301
+/cloudflare-one/identity/service-tokens/ /cloudflare-one/access-controls/service-credentials/service-tokens/ 301
+/cloudflare-one/applications/configure-apps/mcp-servers/mcp-portals/ /cloudflare-one/access-controls/ai-controls/mcp-portals/ 301
+/cloudflare-one/applications/configure-apps/mcp-servers/saas-mcp/ /cloudflare-one/access-controls/ai-controls/saas-mcp/ 031
+/cloudflare-one/applications/configure-apps/mcp-servers/linked-apps/ /cloudflare-one/access-controls/ai-controls/linked-apps/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301

src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx

@@ -8,6 +8,6 @@ products:
 
 You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/).
 
-[Self-hosted applications](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
+[Self-hosted applications](/cloudflare-one/access-controls/ai-controls/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
 
 For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog.

src/content/changelog/access/2025-08-26-mcp-server-portals.mdx

@@ -8,7 +8,7 @@ products:
 
 ![MCP server portal](~/assets/images/changelog/access/mcp-server-portal.png)
 
-An [MCP server portal](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
+An [MCP server portal](/cloudflare-one/access-controls/ai-controls/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
 
 - **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
 - **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.

src/content/changelog/fundamentals/2025-10-01-fine-grained-permissioning-beta.mdx

@@ -13,7 +13,7 @@ Fine-grained permissions for **Access Applications, Identity Providers (IdPs), a
 
 ### What's New
 - **[Access Applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications.
-- **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/identity/)**: Grant admin permissions to individual Identity Providers.
+- **[Identity Providers](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/)**: Grant admin permissions to individual Identity Providers.
 - **[Targets](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets
 
 ![Updated Permissions Policy UX](~/assets/images/changelog/fundamentals/2025-10-01-fine-grained-permissioning-ux.png)

src/content/docs/agents/model-context-protocol/authorization.mdx

@@ -81,7 +81,7 @@ Remember — [authentication is different from authorization](https://www.cloud
 
 You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/access-controls/policies/).
 
-To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
+To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/ai-controls/saas-mcp/).
 
 ### (3) Third-party OAuth Provider
 

src/content/docs/agents/model-context-protocol/mcp-portal.mdx

@@ -5,7 +5,7 @@ tags:
   - MCP
 sidebar:
   order: 101
-external_link: /cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/
+external_link: /cloudflare-one/access-controls/ai-controls/mcp-portals/
 description: Centralize multiple MCP servers onto a single endpoint and customize the tools, prompts, and resources available to users.
 
 ---

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx

@@ -21,7 +21,7 @@ Cloudflare Access provides visibility and control over who has access to your [c
 1. At your SaaS provider account, select [Zero Trust](https://one.dash.cloudflare.com).
 2. Go to **Access** > **Applications**.
 3. Select **Add an application** and, for type of application, select **Self-hosted**.
-4. Enter a name for your Access application and, in **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire.
+4. Enter a name for your Access application and, in **Session Duration**, choose how often the user's [application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) should expire.
 5. Select **Add public hostname**.
 6. For **Input method**, select _Custom_.
 7. In **Hostname**, enter your custom hostname (for example, `mycustomhostname.com`).

src/content/docs/cloudflare-one/access-controls/access-settings/session-management.mdx

@@ -16,7 +16,7 @@ When a user logs in to an application protected by Access, Access validates thei
 | Token                                                                                 | Description                                                                                                          | Expiration                                                                                                                                       | Storage                                                                           |
 | ------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------- |
 | Global session token                                                                  | Stores the user's identity from the IdP and provides single sign-on (SSO) functionality for all Access applications. | [Global session duration](#global-session-duration)                                                                                              | Your Cloudflare <GlossaryTooltip term="team domain">team domain</GlossaryTooltip> |
-| [Application token](/cloudflare-one/identity/authorization-cookie/application-token/) | Allows the user to access a specific Access application.                                                             | [Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration) | The hostname protected by the Access application                                  |
+| [Application token](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/application-token/) | Allows the user to access a specific Access application.                                                             | [Policy session duration](#policy-session-duration), which defaults to the [application session duration](#application-session-duration) | The hostname protected by the Access application                                  |
 
 The user can access the application for the entire duration of the application token's lifecycle. When the application token expires, Cloudflare will automatically issue a new application token if the global token is still valid (and the user's identity still passes your Access policies). If the global token has also expired, the user will be prompted to re-authenticate with the IdP.
 

src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/index.mdx → src/content/docs/cloudflare-one/access-controls/ai-controls/index.mdx

@@ -1,6 +1,6 @@
 ---
 pcx_content_type: navigation
-title: MCP servers
+title: AI controls
 sidebar:
   order: 3
   group:
@@ -9,4 +9,5 @@ sidebar:
 
 import { DirectoryListing } from "~/components";
 
-<DirectoryListing />
+<DirectoryListing />
+

src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps.mdx → src/content/docs/cloudflare-one/access-controls/ai-controls/linked-apps.mdx

@@ -10,7 +10,7 @@ sidebar:
 
 import { Render, GlossaryTooltip, APIRequest } from "~/components";
 
-Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
+Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/ai-controls/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
 
 For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>.
 
@@ -44,7 +44,7 @@ This guide covers how to use the Cloudflare API to link a self-hosted applicatio
 
 ## 1. Secure the MCP server with Access for SaaS
 
-The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
+The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/ai-controls/saas-mcp/).
 
 ## 2. Get the SaaS application ID
 
@@ -147,4 +147,4 @@ The end-to-end authorization flow is as follows:
 
 ## Known limitations
 
-The MCP OAuth feature only works with self-hosted applications that rely on the [Cloudflare Access JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) to authenticate and identify the user. If the application implements its own layer of authentication after Cloudflare Access, then this feature is at best a partial solution. Requests that are successfully authenticated by Access may still be blocked by the application itself, resulting in an HTTP `401` or `403` error.
+The MCP OAuth feature only works with self-hosted applications that rely on the [Cloudflare Access JWT](/cloudflare-one/access-controls/applications/http-apps/authorization-cookie/validating-json/) to authenticate and identify the user. If the application implements its own layer of authentication after Cloudflare Access, then this feature is at best a partial solution. Requests that are successfully authenticated by Access may still be blocked by the application itself, resulting in an HTTP `401` or `403` error.

src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals.mdx → src/content/docs/cloudflare-one/access-controls/ai-controls/mcp-portals.mdx

@@ -41,7 +41,7 @@ To add an MCP server:
 7. Add [Access policies](/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals.
 
    :::caution
-   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
+   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/ai-controls/saas-mcp/).
    :::
 
 8. Select **Save and connect server**.