Create a new Access policy for an application.
/zones/{identifier}/access/apps/{uuid}/policies
post
Zone-Level Access policies
zone-level-access-policies-create-an-access-policy
nullnull[
  {
    "in": "path",
    "name": "uuid",
    "required": true,
    "schema": {
      "description": "UUID",
      "example": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
      "maxLength": 36,
      "readOnly": true,
      "type": "string"
    }
  },
  {
    "in": "path",
    "name": "identifier",
    "required": true,
    "schema": {
      "description": "Identifier",
      "example": "023e105f4ecef8ad9ca31a8372d0c353",
      "maxLength": 32,
      "readOnly": true,
      "type": "string"
    }
  }
]{
  "content": {
    "application/json": {
      "schema": {
        "properties": {
          "approval_groups": {
            "description": "Administrators who can approve a temporary authentication request.",
            "example": [
              {
                "approvals_needed": 1,
                "email_addresses": [
                  "test1@cloudflare.com",
                  "test2@cloudflare.com"
                ]
              },
              {
                "approvals_needed": 3,
                "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
              }
            ],
            "items": {
              "description": "A group of email addresses that can approve a temporary authentication request.",
              "properties": {
                "approvals_needed": {
                  "description": "The number of approvals needed to obtain access.",
                  "example": 1,
                  "minimum": 0,
                  "type": "number"
                },
                "email_addresses": {
                  "description": "A list of emails that can approve the access request.",
                  "example": [
                    "test@cloudflare.com",
                    "test2@cloudflare.com"
                  ],
                  "items": {},
                  "type": "array"
                },
                "email_list_uuid": {
                  "description": "The UUID of an re-usable email list.",
                  "type": "string"
                }
              },
              "required": [
                "approvals_needed"
              ],
              "type": "object"
            },
            "type": "array"
          },
          "approval_required": {
            "default": false,
            "description": "Requires the user to request access from an administrator at the start of each session.",
            "example": true,
            "type": "boolean"
          },
          "decision": {
            "description": "The action Access will take if a user matches this policy.",
            "enum": [
              "allow",
              "deny",
              "non_identity",
              "bypass"
            ],
            "example": "allow",
            "type": "string"
          },
          "exclude": {
            "description": "Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.",
            "items": {
              "oneOf": [
                {
                  "description": "Matches a specific email.",
                  "properties": {
                    "email": {
                      "properties": {
                        "email": {
                          "description": "The email of the user.",
                          "example": "test@example.com",
                          "format": "email",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email"
                  ],
                  "title": "Email",
                  "type": "object"
                },
                {
                  "description": "Matches an email address from a list.",
                  "properties": {
                    "email_list": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created email list.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email_list"
                  ],
                  "title": "Email list",
                  "type": "object"
                },
                {
                  "description": "Match an entire email domain.",
                  "properties": {
                    "email_domain": {
                      "properties": {
                        "domain": {
                          "description": "The email domain to match.",
                          "example": "example.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "domain"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email_domain"
                  ],
                  "title": "Email domain",
                  "type": "object"
                },
                {
                  "description": "Matches everyone.",
                  "properties": {
                    "everyone": {
                      "description": "An empty object which matches on all users.",
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "everyone"
                  ],
                  "title": "Everyone",
                  "type": "object"
                },
                {
                  "description": "Matches an IP address block.",
                  "properties": {
                    "ip": {
                      "properties": {
                        "ip": {
                          "description": "An IPv4 or IPv6 CIDR block.",
                          "example": "2400:cb00:21:10a::/64",
                          "type": "string"
                        }
                      },
                      "required": [
                        "ip"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "ip"
                  ],
                  "title": "IP ranges",
                  "type": "object"
                },
                {
                  "description": "Matches an IP address from a list.",
                  "properties": {
                    "ip_list": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created IP list.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "ip_list"
                  ],
                  "title": "IP list",
                  "type": "object"
                },
                {
                  "description": "Matches any valid client certificate.",
                  "example": {
                    "certificate": {}
                  },
                  "properties": {
                    "certificate": {
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "certificate"
                  ],
                  "title": "Valid certificate",
                  "type": "object"
                },
                {
                  "description": "Matches an Access group.",
                  "properties": {
                    "group": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created Access group.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "group"
                  ],
                  "title": "Access groups",
                  "type": "object"
                },
                {
                  "description": "Matches an Azure group.\nRequires an Azure identity provider.",
                  "properties": {
                    "azureAD": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Azure identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "id": {
                          "description": "The ID of an Azure group.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "azureAD"
                  ],
                  "title": "Azure group",
                  "type": "object"
                },
                {
                  "description": "Matches a Github organization.\nRequires a Github identity provider.",
                  "properties": {
                    "github-organization": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Github identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "name": {
                          "description": "The name of the organization.",
                          "example": "cloudflare",
                          "type": "string"
                        }
                      },
                      "required": [
                        "name",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "github-organization"
                  ],
                  "title": "Github organization",
                  "type": "object"
                },
                {
                  "description": "Matches a group in Google Workspace.\nRequires a Google Workspace identity provider.",
                  "properties": {
                    "gsuite": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Google Workspace identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "email": {
                          "description": "The email of the Google Workspace group.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "gsuite"
                  ],
                  "title": "Google Workspace group",
                  "type": "object"
                },
                {
                  "description": "Matches an Okta group.\nRequires an Okta identity provider.",
                  "properties": {
                    "okta": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Okta identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "email": {
                          "description": "The email of the Okta group.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "okta"
                  ],
                  "title": "Okta group",
                  "type": "object"
                },
                {
                  "description": "Matches a SAML group.\nRequires a SAML identity provider.",
                  "properties": {
                    "saml": {
                      "properties": {
                        "attribute_name": {
                          "description": "The name of the SAML attribute.",
                          "example": "group",
                          "type": "string"
                        },
                        "attribute_value": {
                          "description": "The SAML attribute value to look for.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "attribute_name",
                        "attribute_value"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "saml"
                  ],
                  "title": "SAML group",
                  "type": "object"
                },
                {
                  "description": "Matches a specific Access Service Token",
                  "properties": {
                    "service_token": {
                      "properties": {
                        "token_id": {
                          "description": "The ID of a Service Token.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "token_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "service_token"
                  ],
                  "title": "Service Token",
                  "type": "object"
                },
                {
                  "description": "Matches any valid Access Service Token",
                  "properties": {
                    "any_valid_service_token": {
                      "description": "An empty object which matches on all service tokens.",
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "any_valid_service_token"
                  ],
                  "title": "Any Valid Service Token",
                  "type": "object"
                },
                {
                  "description": "Create Allow or Block policies which evaluate the user based on custom criteria.",
                  "properties": {
                    "external_evaluation": {
                      "properties": {
                        "evaluate_url": {
                          "description": "The API endpoint containing your business logic.",
                          "example": "https://eval.example.com",
                          "type": "string"
                        },
                        "keys_url": {
                          "description": "The API endpoint containing the key that Access uses to verify that the response came from your API.",
                          "example": "https://eval.example.com/keys",
                          "type": "string"
                        }
                      },
                      "required": [
                        "evaluate_url",
                        "keys_url"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "external_evaluation"
                  ],
                  "title": "External Evaluation",
                  "type": "object"
                },
                {
                  "description": "Matches a specific country",
                  "properties": {
                    "geo": {
                      "properties": {
                        "country_code": {
                          "description": "The country code that should be matched.",
                          "example": "US",
                          "type": "string"
                        }
                      },
                      "required": [
                        "country_code"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "geo"
                  ],
                  "title": "Country",
                  "type": "object"
                },
                {
                  "description": "Enforce different MFA options",
                  "properties": {
                    "auth_method": {
                      "properties": {
                        "auth_method": {
                          "description": "The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.",
                          "example": "mfa",
                          "type": "string"
                        }
                      },
                      "required": [
                        "auth_method"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "auth_method"
                  ],
                  "title": "Authentication method",
                  "type": "object"
                },
                {
                  "description": "Enforces a device posture rule has run successfully",
                  "properties": {
                    "device_posture": {
                      "properties": {
                        "integration_uid": {
                          "description": "The ID of a device posture integration.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "integration_uid"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "device_posture"
                  ],
                  "title": "Device Posture",
                  "type": "object"
                }
              ],
              "type": "object"
            },
            "type": "array"
          },
          "include": {
            "description": "Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.",
            "items": {
              "oneOf": [
                {
                  "description": "Matches a specific email.",
                  "properties": {
                    "email": {
                      "properties": {
                        "email": {
                          "description": "The email of the user.",
                          "example": "test@example.com",
                          "format": "email",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email"
                  ],
                  "title": "Email",
                  "type": "object"
                },
                {
                  "description": "Matches an email address from a list.",
                  "properties": {
                    "email_list": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created email list.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email_list"
                  ],
                  "title": "Email list",
                  "type": "object"
                },
                {
                  "description": "Match an entire email domain.",
                  "properties": {
                    "email_domain": {
                      "properties": {
                        "domain": {
                          "description": "The email domain to match.",
                          "example": "example.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "domain"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email_domain"
                  ],
                  "title": "Email domain",
                  "type": "object"
                },
                {
                  "description": "Matches everyone.",
                  "properties": {
                    "everyone": {
                      "description": "An empty object which matches on all users.",
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "everyone"
                  ],
                  "title": "Everyone",
                  "type": "object"
                },
                {
                  "description": "Matches an IP address block.",
                  "properties": {
                    "ip": {
                      "properties": {
                        "ip": {
                          "description": "An IPv4 or IPv6 CIDR block.",
                          "example": "2400:cb00:21:10a::/64",
                          "type": "string"
                        }
                      },
                      "required": [
                        "ip"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "ip"
                  ],
                  "title": "IP ranges",
                  "type": "object"
                },
                {
                  "description": "Matches an IP address from a list.",
                  "properties": {
                    "ip_list": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created IP list.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "ip_list"
                  ],
                  "title": "IP list",
                  "type": "object"
                },
                {
                  "description": "Matches any valid client certificate.",
                  "example": {
                    "certificate": {}
                  },
                  "properties": {
                    "certificate": {
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "certificate"
                  ],
                  "title": "Valid certificate",
                  "type": "object"
                },
                {
                  "description": "Matches an Access group.",
                  "properties": {
                    "group": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created Access group.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "group"
                  ],
                  "title": "Access groups",
                  "type": "object"
                },
                {
                  "description": "Matches an Azure group.\nRequires an Azure identity provider.",
                  "properties": {
                    "azureAD": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Azure identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "id": {
                          "description": "The ID of an Azure group.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "azureAD"
                  ],
                  "title": "Azure group",
                  "type": "object"
                },
                {
                  "description": "Matches a Github organization.\nRequires a Github identity provider.",
                  "properties": {
                    "github-organization": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Github identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "name": {
                          "description": "The name of the organization.",
                          "example": "cloudflare",
                          "type": "string"
                        }
                      },
                      "required": [
                        "name",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "github-organization"
                  ],
                  "title": "Github organization",
                  "type": "object"
                },
                {
                  "description": "Matches a group in Google Workspace.\nRequires a Google Workspace identity provider.",
                  "properties": {
                    "gsuite": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Google Workspace identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "email": {
                          "description": "The email of the Google Workspace group.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "gsuite"
                  ],
                  "title": "Google Workspace group",
                  "type": "object"
                },
                {
                  "description": "Matches an Okta group.\nRequires an Okta identity provider.",
                  "properties": {
                    "okta": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Okta identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "email": {
                          "description": "The email of the Okta group.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "okta"
                  ],
                  "title": "Okta group",
                  "type": "object"
                },
                {
                  "description": "Matches a SAML group.\nRequires a SAML identity provider.",
                  "properties": {
                    "saml": {
                      "properties": {
                        "attribute_name": {
                          "description": "The name of the SAML attribute.",
                          "example": "group",
                          "type": "string"
                        },
                        "attribute_value": {
                          "description": "The SAML attribute value to look for.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "attribute_name",
                        "attribute_value"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "saml"
                  ],
                  "title": "SAML group",
                  "type": "object"
                },
                {
                  "description": "Matches a specific Access Service Token",
                  "properties": {
                    "service_token": {
                      "properties": {
                        "token_id": {
                          "description": "The ID of a Service Token.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "token_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "service_token"
                  ],
                  "title": "Service Token",
                  "type": "object"
                },
                {
                  "description": "Matches any valid Access Service Token",
                  "properties": {
                    "any_valid_service_token": {
                      "description": "An empty object which matches on all service tokens.",
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "any_valid_service_token"
                  ],
                  "title": "Any Valid Service Token",
                  "type": "object"
                },
                {
                  "description": "Create Allow or Block policies which evaluate the user based on custom criteria.",
                  "properties": {
                    "external_evaluation": {
                      "properties": {
                        "evaluate_url": {
                          "description": "The API endpoint containing your business logic.",
                          "example": "https://eval.example.com",
                          "type": "string"
                        },
                        "keys_url": {
                          "description": "The API endpoint containing the key that Access uses to verify that the response came from your API.",
                          "example": "https://eval.example.com/keys",
                          "type": "string"
                        }
                      },
                      "required": [
                        "evaluate_url",
                        "keys_url"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "external_evaluation"
                  ],
                  "title": "External Evaluation",
                  "type": "object"
                },
                {
                  "description": "Matches a specific country",
                  "properties": {
                    "geo": {
                      "properties": {
                        "country_code": {
                          "description": "The country code that should be matched.",
                          "example": "US",
                          "type": "string"
                        }
                      },
                      "required": [
                        "country_code"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "geo"
                  ],
                  "title": "Country",
                  "type": "object"
                },
                {
                  "description": "Enforce different MFA options",
                  "properties": {
                    "auth_method": {
                      "properties": {
                        "auth_method": {
                          "description": "The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.",
                          "example": "mfa",
                          "type": "string"
                        }
                      },
                      "required": [
                        "auth_method"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "auth_method"
                  ],
                  "title": "Authentication method",
                  "type": "object"
                },
                {
                  "description": "Enforces a device posture rule has run successfully",
                  "properties": {
                    "device_posture": {
                      "properties": {
                        "integration_uid": {
                          "description": "The ID of a device posture integration.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "integration_uid"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "device_posture"
                  ],
                  "title": "Device Posture",
                  "type": "object"
                }
              ],
              "type": "object"
            },
            "type": "array"
          },
          "isolation_required": {
            "default": false,
            "description": "Require this application to be served in an isolated browser for users matching this policy.",
            "example": false,
            "type": "boolean"
          },
          "name": {
            "description": "The name of the Access policy.",
            "example": "Allow devs",
            "type": "string"
          },
          "precedence": {
            "description": "The order of execution for this policy. Must be unique for each policy.",
            "type": "integer"
          },
          "purpose_justification_prompt": {
            "description": "A custom message that will appear on the purpose justification screen.",
            "example": "Please enter a justification for entering this protected domain.",
            "type": "string"
          },
          "purpose_justification_required": {
            "default": false,
            "description": "Require users to enter a justification when they log in to the application.",
            "example": true,
            "type": "boolean"
          },
          "require": {
            "description": "Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.",
            "items": {
              "oneOf": [
                {
                  "description": "Matches a specific email.",
                  "properties": {
                    "email": {
                      "properties": {
                        "email": {
                          "description": "The email of the user.",
                          "example": "test@example.com",
                          "format": "email",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email"
                  ],
                  "title": "Email",
                  "type": "object"
                },
                {
                  "description": "Matches an email address from a list.",
                  "properties": {
                    "email_list": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created email list.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email_list"
                  ],
                  "title": "Email list",
                  "type": "object"
                },
                {
                  "description": "Match an entire email domain.",
                  "properties": {
                    "email_domain": {
                      "properties": {
                        "domain": {
                          "description": "The email domain to match.",
                          "example": "example.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "domain"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "email_domain"
                  ],
                  "title": "Email domain",
                  "type": "object"
                },
                {
                  "description": "Matches everyone.",
                  "properties": {
                    "everyone": {
                      "description": "An empty object which matches on all users.",
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "everyone"
                  ],
                  "title": "Everyone",
                  "type": "object"
                },
                {
                  "description": "Matches an IP address block.",
                  "properties": {
                    "ip": {
                      "properties": {
                        "ip": {
                          "description": "An IPv4 or IPv6 CIDR block.",
                          "example": "2400:cb00:21:10a::/64",
                          "type": "string"
                        }
                      },
                      "required": [
                        "ip"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "ip"
                  ],
                  "title": "IP ranges",
                  "type": "object"
                },
                {
                  "description": "Matches an IP address from a list.",
                  "properties": {
                    "ip_list": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created IP list.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "ip_list"
                  ],
                  "title": "IP list",
                  "type": "object"
                },
                {
                  "description": "Matches any valid client certificate.",
                  "example": {
                    "certificate": {}
                  },
                  "properties": {
                    "certificate": {
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "certificate"
                  ],
                  "title": "Valid certificate",
                  "type": "object"
                },
                {
                  "description": "Matches an Access group.",
                  "properties": {
                    "group": {
                      "properties": {
                        "id": {
                          "description": "The ID of a previously created Access group.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "group"
                  ],
                  "title": "Access groups",
                  "type": "object"
                },
                {
                  "description": "Matches an Azure group.\nRequires an Azure identity provider.",
                  "properties": {
                    "azureAD": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Azure identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "id": {
                          "description": "The ID of an Azure group.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "id",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "azureAD"
                  ],
                  "title": "Azure group",
                  "type": "object"
                },
                {
                  "description": "Matches a Github organization.\nRequires a Github identity provider.",
                  "properties": {
                    "github-organization": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Github identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "name": {
                          "description": "The name of the organization.",
                          "example": "cloudflare",
                          "type": "string"
                        }
                      },
                      "required": [
                        "name",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "github-organization"
                  ],
                  "title": "Github organization",
                  "type": "object"
                },
                {
                  "description": "Matches a group in Google Workspace.\nRequires a Google Workspace identity provider.",
                  "properties": {
                    "gsuite": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Google Workspace identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "email": {
                          "description": "The email of the Google Workspace group.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "gsuite"
                  ],
                  "title": "Google Workspace group",
                  "type": "object"
                },
                {
                  "description": "Matches an Okta group.\nRequires an Okta identity provider.",
                  "properties": {
                    "okta": {
                      "properties": {
                        "connection_id": {
                          "description": "The ID of your Okta identity provider.",
                          "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                          "type": "string"
                        },
                        "email": {
                          "description": "The email of the Okta group.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "email",
                        "connection_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "okta"
                  ],
                  "title": "Okta group",
                  "type": "object"
                },
                {
                  "description": "Matches a SAML group.\nRequires a SAML identity provider.",
                  "properties": {
                    "saml": {
                      "properties": {
                        "attribute_name": {
                          "description": "The name of the SAML attribute.",
                          "example": "group",
                          "type": "string"
                        },
                        "attribute_value": {
                          "description": "The SAML attribute value to look for.",
                          "example": "devs@cloudflare.com",
                          "type": "string"
                        }
                      },
                      "required": [
                        "attribute_name",
                        "attribute_value"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "saml"
                  ],
                  "title": "SAML group",
                  "type": "object"
                },
                {
                  "description": "Matches a specific Access Service Token",
                  "properties": {
                    "service_token": {
                      "properties": {
                        "token_id": {
                          "description": "The ID of a Service Token.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "token_id"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "service_token"
                  ],
                  "title": "Service Token",
                  "type": "object"
                },
                {
                  "description": "Matches any valid Access Service Token",
                  "properties": {
                    "any_valid_service_token": {
                      "description": "An empty object which matches on all service tokens.",
                      "example": {},
                      "type": "object"
                    }
                  },
                  "required": [
                    "any_valid_service_token"
                  ],
                  "title": "Any Valid Service Token",
                  "type": "object"
                },
                {
                  "description": "Create Allow or Block policies which evaluate the user based on custom criteria.",
                  "properties": {
                    "external_evaluation": {
                      "properties": {
                        "evaluate_url": {
                          "description": "The API endpoint containing your business logic.",
                          "example": "https://eval.example.com",
                          "type": "string"
                        },
                        "keys_url": {
                          "description": "The API endpoint containing the key that Access uses to verify that the response came from your API.",
                          "example": "https://eval.example.com/keys",
                          "type": "string"
                        }
                      },
                      "required": [
                        "evaluate_url",
                        "keys_url"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "external_evaluation"
                  ],
                  "title": "External Evaluation",
                  "type": "object"
                },
                {
                  "description": "Matches a specific country",
                  "properties": {
                    "geo": {
                      "properties": {
                        "country_code": {
                          "description": "The country code that should be matched.",
                          "example": "US",
                          "type": "string"
                        }
                      },
                      "required": [
                        "country_code"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "geo"
                  ],
                  "title": "Country",
                  "type": "object"
                },
                {
                  "description": "Enforce different MFA options",
                  "properties": {
                    "auth_method": {
                      "properties": {
                        "auth_method": {
                          "description": "The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.",
                          "example": "mfa",
                          "type": "string"
                        }
                      },
                      "required": [
                        "auth_method"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "auth_method"
                  ],
                  "title": "Authentication method",
                  "type": "object"
                },
                {
                  "description": "Enforces a device posture rule has run successfully",
                  "properties": {
                    "device_posture": {
                      "properties": {
                        "integration_uid": {
                          "description": "The ID of a device posture integration.",
                          "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                          "type": "string"
                        }
                      },
                      "required": [
                        "integration_uid"
                      ],
                      "type": "object"
                    }
                  },
                  "required": [
                    "device_posture"
                  ],
                  "title": "Device Posture",
                  "type": "object"
                }
              ],
              "type": "object"
            },
            "type": "array"
          }
        },
        "required": [
          "name",
          "decision",
          "include"
        ]
      }
    }
  },
  "required": true
}{
  "201": {
    "content": {
      "application/json": {
        "schema": {
          "allOf": [
            {
              "allOf": [
                {
                  "properties": {
                    "errors": {
                      "example": [],
                      "items": {
                        "properties": {
                          "code": {
                            "minimum": 1000,
                            "type": "integer"
                          },
                          "message": {
                            "type": "string"
                          }
                        },
                        "required": [
                          "code",
                          "message"
                        ],
                        "type": "object",
                        "uniqueItems": true
                      },
                      "type": "array"
                    },
                    "messages": {
                      "example": [],
                      "items": {
                        "properties": {
                          "code": {
                            "minimum": 1000,
                            "type": "integer"
                          },
                          "message": {
                            "type": "string"
                          }
                        },
                        "required": [
                          "code",
                          "message"
                        ],
                        "type": "object",
                        "uniqueItems": true
                      },
                      "type": "array"
                    },
                    "result": {
                      "anyOf": [
                        {
                          "type": "object"
                        },
                        {
                          "items": {},
                          "type": "array"
                        },
                        {
                          "type": "string"
                        }
                      ]
                    },
                    "success": {
                      "description": "Whether the API call was successful",
                      "enum": [
                        true
                      ],
                      "example": true,
                      "type": "boolean"
                    }
                  },
                  "required": [
                    "success",
                    "errors",
                    "messages",
                    "result"
                  ],
                  "type": "object"
                },
                {
                  "properties": {
                    "result": {
                      "anyOf": [
                        {
                          "type": "object"
                        },
                        {
                          "type": "string"
                        }
                      ]
                    }
                  }
                }
              ],
              "type": "object"
            },
            {
              "properties": {
                "result": {
                  "properties": {
                    "approval_groups": {
                      "description": "Administrators who can approve a temporary authentication request.",
                      "example": [
                        {
                          "approvals_needed": 1,
                          "email_addresses": [
                            "test1@cloudflare.com",
                            "test2@cloudflare.com"
                          ]
                        },
                        {
                          "approvals_needed": 3,
                          "email_list_uuid": "597147a1-976b-4ef2-9af0-81d5d007fc34"
                        }
                      ],
                      "items": {
                        "description": "A group of email addresses that can approve a temporary authentication request.",
                        "properties": {
                          "approvals_needed": {
                            "description": "The number of approvals needed to obtain access.",
                            "example": 1,
                            "minimum": 0,
                            "type": "number"
                          },
                          "email_addresses": {
                            "description": "A list of emails that can approve the access request.",
                            "example": [
                              "test@cloudflare.com",
                              "test2@cloudflare.com"
                            ],
                            "items": {},
                            "type": "array"
                          },
                          "email_list_uuid": {
                            "description": "The UUID of an re-usable email list.",
                            "type": "string"
                          }
                        },
                        "required": [
                          "approvals_needed"
                        ],
                        "type": "object"
                      },
                      "type": "array"
                    },
                    "approval_required": {
                      "default": false,
                      "description": "Requires the user to request access from an administrator at the start of each session.",
                      "example": true,
                      "type": "boolean"
                    },
                    "created_at": {
                      "example": "2014-01-01T05:20:00.12345Z",
                      "format": "date-time",
                      "readOnly": true,
                      "type": "string"
                    },
                    "decision": {
                      "description": "The action Access will take if a user matches this policy.",
                      "enum": [
                        "allow",
                        "deny",
                        "non_identity",
                        "bypass"
                      ],
                      "example": "allow",
                      "type": "string"
                    },
                    "exclude": {
                      "description": "Rules evaluated with a NOT logical operator. To match the policy, a user cannot meet any of the Exclude rules.",
                      "items": {
                        "oneOf": [
                          {
                            "description": "Matches a specific email.",
                            "properties": {
                              "email": {
                                "properties": {
                                  "email": {
                                    "description": "The email of the user.",
                                    "example": "test@example.com",
                                    "format": "email",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email"
                            ],
                            "title": "Email",
                            "type": "object"
                          },
                          {
                            "description": "Matches an email address from a list.",
                            "properties": {
                              "email_list": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created email list.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email_list"
                            ],
                            "title": "Email list",
                            "type": "object"
                          },
                          {
                            "description": "Match an entire email domain.",
                            "properties": {
                              "email_domain": {
                                "properties": {
                                  "domain": {
                                    "description": "The email domain to match.",
                                    "example": "example.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "domain"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email_domain"
                            ],
                            "title": "Email domain",
                            "type": "object"
                          },
                          {
                            "description": "Matches everyone.",
                            "properties": {
                              "everyone": {
                                "description": "An empty object which matches on all users.",
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "everyone"
                            ],
                            "title": "Everyone",
                            "type": "object"
                          },
                          {
                            "description": "Matches an IP address block.",
                            "properties": {
                              "ip": {
                                "properties": {
                                  "ip": {
                                    "description": "An IPv4 or IPv6 CIDR block.",
                                    "example": "2400:cb00:21:10a::/64",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "ip"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "ip"
                            ],
                            "title": "IP ranges",
                            "type": "object"
                          },
                          {
                            "description": "Matches an IP address from a list.",
                            "properties": {
                              "ip_list": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created IP list.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "ip_list"
                            ],
                            "title": "IP list",
                            "type": "object"
                          },
                          {
                            "description": "Matches any valid client certificate.",
                            "example": {
                              "certificate": {}
                            },
                            "properties": {
                              "certificate": {
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "certificate"
                            ],
                            "title": "Valid certificate",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Access group.",
                            "properties": {
                              "group": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created Access group.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "group"
                            ],
                            "title": "Access groups",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Azure group.\nRequires an Azure identity provider.",
                            "properties": {
                              "azureAD": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Azure identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "id": {
                                    "description": "The ID of an Azure group.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "azureAD"
                            ],
                            "title": "Azure group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a Github organization.\nRequires a Github identity provider.",
                            "properties": {
                              "github-organization": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Github identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "name": {
                                    "description": "The name of the organization.",
                                    "example": "cloudflare",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "name",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "github-organization"
                            ],
                            "title": "Github organization",
                            "type": "object"
                          },
                          {
                            "description": "Matches a group in Google Workspace.\nRequires a Google Workspace identity provider.",
                            "properties": {
                              "gsuite": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Google Workspace identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "email": {
                                    "description": "The email of the Google Workspace group.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "gsuite"
                            ],
                            "title": "Google Workspace group",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Okta group.\nRequires an Okta identity provider.",
                            "properties": {
                              "okta": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Okta identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "email": {
                                    "description": "The email of the Okta group.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "okta"
                            ],
                            "title": "Okta group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a SAML group.\nRequires a SAML identity provider.",
                            "properties": {
                              "saml": {
                                "properties": {
                                  "attribute_name": {
                                    "description": "The name of the SAML attribute.",
                                    "example": "group",
                                    "type": "string"
                                  },
                                  "attribute_value": {
                                    "description": "The SAML attribute value to look for.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "attribute_name",
                                  "attribute_value"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "saml"
                            ],
                            "title": "SAML group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a specific Access Service Token",
                            "properties": {
                              "service_token": {
                                "properties": {
                                  "token_id": {
                                    "description": "The ID of a Service Token.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "token_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "service_token"
                            ],
                            "title": "Service Token",
                            "type": "object"
                          },
                          {
                            "description": "Matches any valid Access Service Token",
                            "properties": {
                              "any_valid_service_token": {
                                "description": "An empty object which matches on all service tokens.",
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "any_valid_service_token"
                            ],
                            "title": "Any Valid Service Token",
                            "type": "object"
                          },
                          {
                            "description": "Create Allow or Block policies which evaluate the user based on custom criteria.",
                            "properties": {
                              "external_evaluation": {
                                "properties": {
                                  "evaluate_url": {
                                    "description": "The API endpoint containing your business logic.",
                                    "example": "https://eval.example.com",
                                    "type": "string"
                                  },
                                  "keys_url": {
                                    "description": "The API endpoint containing the key that Access uses to verify that the response came from your API.",
                                    "example": "https://eval.example.com/keys",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "evaluate_url",
                                  "keys_url"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "external_evaluation"
                            ],
                            "title": "External Evaluation",
                            "type": "object"
                          },
                          {
                            "description": "Matches a specific country",
                            "properties": {
                              "geo": {
                                "properties": {
                                  "country_code": {
                                    "description": "The country code that should be matched.",
                                    "example": "US",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "country_code"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "geo"
                            ],
                            "title": "Country",
                            "type": "object"
                          },
                          {
                            "description": "Enforce different MFA options",
                            "properties": {
                              "auth_method": {
                                "properties": {
                                  "auth_method": {
                                    "description": "The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.",
                                    "example": "mfa",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "auth_method"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "auth_method"
                            ],
                            "title": "Authentication method",
                            "type": "object"
                          },
                          {
                            "description": "Enforces a device posture rule has run successfully",
                            "properties": {
                              "device_posture": {
                                "properties": {
                                  "integration_uid": {
                                    "description": "The ID of a device posture integration.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "integration_uid"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "device_posture"
                            ],
                            "title": "Device Posture",
                            "type": "object"
                          }
                        ],
                        "type": "object"
                      },
                      "type": "array"
                    },
                    "id": {
                      "description": "UUID",
                      "example": "f174e90a-fafe-4643-bbbc-4a0ed4fc8415",
                      "maxLength": 36,
                      "readOnly": true,
                      "type": "string"
                    },
                    "include": {
                      "description": "Rules evaluated with an OR logical operator. A user needs to meet only one of the Include rules.",
                      "items": {
                        "oneOf": [
                          {
                            "description": "Matches a specific email.",
                            "properties": {
                              "email": {
                                "properties": {
                                  "email": {
                                    "description": "The email of the user.",
                                    "example": "test@example.com",
                                    "format": "email",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email"
                            ],
                            "title": "Email",
                            "type": "object"
                          },
                          {
                            "description": "Matches an email address from a list.",
                            "properties": {
                              "email_list": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created email list.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email_list"
                            ],
                            "title": "Email list",
                            "type": "object"
                          },
                          {
                            "description": "Match an entire email domain.",
                            "properties": {
                              "email_domain": {
                                "properties": {
                                  "domain": {
                                    "description": "The email domain to match.",
                                    "example": "example.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "domain"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email_domain"
                            ],
                            "title": "Email domain",
                            "type": "object"
                          },
                          {
                            "description": "Matches everyone.",
                            "properties": {
                              "everyone": {
                                "description": "An empty object which matches on all users.",
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "everyone"
                            ],
                            "title": "Everyone",
                            "type": "object"
                          },
                          {
                            "description": "Matches an IP address block.",
                            "properties": {
                              "ip": {
                                "properties": {
                                  "ip": {
                                    "description": "An IPv4 or IPv6 CIDR block.",
                                    "example": "2400:cb00:21:10a::/64",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "ip"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "ip"
                            ],
                            "title": "IP ranges",
                            "type": "object"
                          },
                          {
                            "description": "Matches an IP address from a list.",
                            "properties": {
                              "ip_list": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created IP list.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "ip_list"
                            ],
                            "title": "IP list",
                            "type": "object"
                          },
                          {
                            "description": "Matches any valid client certificate.",
                            "example": {
                              "certificate": {}
                            },
                            "properties": {
                              "certificate": {
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "certificate"
                            ],
                            "title": "Valid certificate",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Access group.",
                            "properties": {
                              "group": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created Access group.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "group"
                            ],
                            "title": "Access groups",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Azure group.\nRequires an Azure identity provider.",
                            "properties": {
                              "azureAD": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Azure identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "id": {
                                    "description": "The ID of an Azure group.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "azureAD"
                            ],
                            "title": "Azure group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a Github organization.\nRequires a Github identity provider.",
                            "properties": {
                              "github-organization": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Github identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "name": {
                                    "description": "The name of the organization.",
                                    "example": "cloudflare",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "name",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "github-organization"
                            ],
                            "title": "Github organization",
                            "type": "object"
                          },
                          {
                            "description": "Matches a group in Google Workspace.\nRequires a Google Workspace identity provider.",
                            "properties": {
                              "gsuite": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Google Workspace identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "email": {
                                    "description": "The email of the Google Workspace group.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "gsuite"
                            ],
                            "title": "Google Workspace group",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Okta group.\nRequires an Okta identity provider.",
                            "properties": {
                              "okta": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Okta identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "email": {
                                    "description": "The email of the Okta group.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "okta"
                            ],
                            "title": "Okta group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a SAML group.\nRequires a SAML identity provider.",
                            "properties": {
                              "saml": {
                                "properties": {
                                  "attribute_name": {
                                    "description": "The name of the SAML attribute.",
                                    "example": "group",
                                    "type": "string"
                                  },
                                  "attribute_value": {
                                    "description": "The SAML attribute value to look for.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "attribute_name",
                                  "attribute_value"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "saml"
                            ],
                            "title": "SAML group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a specific Access Service Token",
                            "properties": {
                              "service_token": {
                                "properties": {
                                  "token_id": {
                                    "description": "The ID of a Service Token.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "token_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "service_token"
                            ],
                            "title": "Service Token",
                            "type": "object"
                          },
                          {
                            "description": "Matches any valid Access Service Token",
                            "properties": {
                              "any_valid_service_token": {
                                "description": "An empty object which matches on all service tokens.",
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "any_valid_service_token"
                            ],
                            "title": "Any Valid Service Token",
                            "type": "object"
                          },
                          {
                            "description": "Create Allow or Block policies which evaluate the user based on custom criteria.",
                            "properties": {
                              "external_evaluation": {
                                "properties": {
                                  "evaluate_url": {
                                    "description": "The API endpoint containing your business logic.",
                                    "example": "https://eval.example.com",
                                    "type": "string"
                                  },
                                  "keys_url": {
                                    "description": "The API endpoint containing the key that Access uses to verify that the response came from your API.",
                                    "example": "https://eval.example.com/keys",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "evaluate_url",
                                  "keys_url"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "external_evaluation"
                            ],
                            "title": "External Evaluation",
                            "type": "object"
                          },
                          {
                            "description": "Matches a specific country",
                            "properties": {
                              "geo": {
                                "properties": {
                                  "country_code": {
                                    "description": "The country code that should be matched.",
                                    "example": "US",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "country_code"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "geo"
                            ],
                            "title": "Country",
                            "type": "object"
                          },
                          {
                            "description": "Enforce different MFA options",
                            "properties": {
                              "auth_method": {
                                "properties": {
                                  "auth_method": {
                                    "description": "The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.",
                                    "example": "mfa",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "auth_method"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "auth_method"
                            ],
                            "title": "Authentication method",
                            "type": "object"
                          },
                          {
                            "description": "Enforces a device posture rule has run successfully",
                            "properties": {
                              "device_posture": {
                                "properties": {
                                  "integration_uid": {
                                    "description": "The ID of a device posture integration.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "integration_uid"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "device_posture"
                            ],
                            "title": "Device Posture",
                            "type": "object"
                          }
                        ],
                        "type": "object"
                      },
                      "type": "array"
                    },
                    "isolation_required": {
                      "default": false,
                      "description": "Require this application to be served in an isolated browser for users matching this policy.",
                      "example": false,
                      "type": "boolean"
                    },
                    "name": {
                      "description": "The name of the Access policy.",
                      "example": "Allow devs",
                      "type": "string"
                    },
                    "precedence": {
                      "description": "The order of execution for this policy. Must be unique for each policy.",
                      "type": "integer"
                    },
                    "purpose_justification_prompt": {
                      "description": "A custom message that will appear on the purpose justification screen.",
                      "example": "Please enter a justification for entering this protected domain.",
                      "type": "string"
                    },
                    "purpose_justification_required": {
                      "default": false,
                      "description": "Require users to enter a justification when they log in to the application.",
                      "example": true,
                      "type": "boolean"
                    },
                    "require": {
                      "description": "Rules evaluated with an AND logical operator. To match the policy, a user must meet all of the Require rules.",
                      "items": {
                        "oneOf": [
                          {
                            "description": "Matches a specific email.",
                            "properties": {
                              "email": {
                                "properties": {
                                  "email": {
                                    "description": "The email of the user.",
                                    "example": "test@example.com",
                                    "format": "email",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email"
                            ],
                            "title": "Email",
                            "type": "object"
                          },
                          {
                            "description": "Matches an email address from a list.",
                            "properties": {
                              "email_list": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created email list.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email_list"
                            ],
                            "title": "Email list",
                            "type": "object"
                          },
                          {
                            "description": "Match an entire email domain.",
                            "properties": {
                              "email_domain": {
                                "properties": {
                                  "domain": {
                                    "description": "The email domain to match.",
                                    "example": "example.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "domain"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "email_domain"
                            ],
                            "title": "Email domain",
                            "type": "object"
                          },
                          {
                            "description": "Matches everyone.",
                            "properties": {
                              "everyone": {
                                "description": "An empty object which matches on all users.",
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "everyone"
                            ],
                            "title": "Everyone",
                            "type": "object"
                          },
                          {
                            "description": "Matches an IP address block.",
                            "properties": {
                              "ip": {
                                "properties": {
                                  "ip": {
                                    "description": "An IPv4 or IPv6 CIDR block.",
                                    "example": "2400:cb00:21:10a::/64",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "ip"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "ip"
                            ],
                            "title": "IP ranges",
                            "type": "object"
                          },
                          {
                            "description": "Matches an IP address from a list.",
                            "properties": {
                              "ip_list": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created IP list.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "ip_list"
                            ],
                            "title": "IP list",
                            "type": "object"
                          },
                          {
                            "description": "Matches any valid client certificate.",
                            "example": {
                              "certificate": {}
                            },
                            "properties": {
                              "certificate": {
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "certificate"
                            ],
                            "title": "Valid certificate",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Access group.",
                            "properties": {
                              "group": {
                                "properties": {
                                  "id": {
                                    "description": "The ID of a previously created Access group.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "group"
                            ],
                            "title": "Access groups",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Azure group.\nRequires an Azure identity provider.",
                            "properties": {
                              "azureAD": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Azure identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "id": {
                                    "description": "The ID of an Azure group.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "id",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "azureAD"
                            ],
                            "title": "Azure group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a Github organization.\nRequires a Github identity provider.",
                            "properties": {
                              "github-organization": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Github identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "name": {
                                    "description": "The name of the organization.",
                                    "example": "cloudflare",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "name",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "github-organization"
                            ],
                            "title": "Github organization",
                            "type": "object"
                          },
                          {
                            "description": "Matches a group in Google Workspace.\nRequires a Google Workspace identity provider.",
                            "properties": {
                              "gsuite": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Google Workspace identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "email": {
                                    "description": "The email of the Google Workspace group.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "gsuite"
                            ],
                            "title": "Google Workspace group",
                            "type": "object"
                          },
                          {
                            "description": "Matches an Okta group.\nRequires an Okta identity provider.",
                            "properties": {
                              "okta": {
                                "properties": {
                                  "connection_id": {
                                    "description": "The ID of your Okta identity provider.",
                                    "example": "ea85612a-29c8-46c2-bacb-669d65136971",
                                    "type": "string"
                                  },
                                  "email": {
                                    "description": "The email of the Okta group.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "email",
                                  "connection_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "okta"
                            ],
                            "title": "Okta group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a SAML group.\nRequires a SAML identity provider.",
                            "properties": {
                              "saml": {
                                "properties": {
                                  "attribute_name": {
                                    "description": "The name of the SAML attribute.",
                                    "example": "group",
                                    "type": "string"
                                  },
                                  "attribute_value": {
                                    "description": "The SAML attribute value to look for.",
                                    "example": "devs@cloudflare.com",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "attribute_name",
                                  "attribute_value"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "saml"
                            ],
                            "title": "SAML group",
                            "type": "object"
                          },
                          {
                            "description": "Matches a specific Access Service Token",
                            "properties": {
                              "service_token": {
                                "properties": {
                                  "token_id": {
                                    "description": "The ID of a Service Token.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "token_id"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "service_token"
                            ],
                            "title": "Service Token",
                            "type": "object"
                          },
                          {
                            "description": "Matches any valid Access Service Token",
                            "properties": {
                              "any_valid_service_token": {
                                "description": "An empty object which matches on all service tokens.",
                                "example": {},
                                "type": "object"
                              }
                            },
                            "required": [
                              "any_valid_service_token"
                            ],
                            "title": "Any Valid Service Token",
                            "type": "object"
                          },
                          {
                            "description": "Create Allow or Block policies which evaluate the user based on custom criteria.",
                            "properties": {
                              "external_evaluation": {
                                "properties": {
                                  "evaluate_url": {
                                    "description": "The API endpoint containing your business logic.",
                                    "example": "https://eval.example.com",
                                    "type": "string"
                                  },
                                  "keys_url": {
                                    "description": "The API endpoint containing the key that Access uses to verify that the response came from your API.",
                                    "example": "https://eval.example.com/keys",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "evaluate_url",
                                  "keys_url"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "external_evaluation"
                            ],
                            "title": "External Evaluation",
                            "type": "object"
                          },
                          {
                            "description": "Matches a specific country",
                            "properties": {
                              "geo": {
                                "properties": {
                                  "country_code": {
                                    "description": "The country code that should be matched.",
                                    "example": "US",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "country_code"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "geo"
                            ],
                            "title": "Country",
                            "type": "object"
                          },
                          {
                            "description": "Enforce different MFA options",
                            "properties": {
                              "auth_method": {
                                "properties": {
                                  "auth_method": {
                                    "description": "The type of authentication method https://datatracker.ietf.org/doc/html/rfc8176.",
                                    "example": "mfa",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "auth_method"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "auth_method"
                            ],
                            "title": "Authentication method",
                            "type": "object"
                          },
                          {
                            "description": "Enforces a device posture rule has run successfully",
                            "properties": {
                              "device_posture": {
                                "properties": {
                                  "integration_uid": {
                                    "description": "The ID of a device posture integration.",
                                    "example": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f",
                                    "type": "string"
                                  }
                                },
                                "required": [
                                  "integration_uid"
                                ],
                                "type": "object"
                              }
                            },
                            "required": [
                              "device_posture"
                            ],
                            "title": "Device Posture",
                            "type": "object"
                          }
                        ],
                        "type": "object"
                      },
                      "type": "array"
                    },
                    "updated_at": {
                      "example": "2014-01-01T05:20:00.12345Z",
                      "format": "date-time",
                      "readOnly": true,
                      "type": "string"
                    }
                  },
                  "type": "object"
                }
              }
            }
          ]
        }
      }
    },
    "description": "Create an Access policy response"
  },
  "4XX": {
    "content": {
      "application/json": {
        "schema": {
          "properties": {
            "errors": {
              "allOf": [
                {
                  "example": [],
                  "items": {
                    "properties": {
                      "code": {
                        "minimum": 1000,
                        "type": "integer"
                      },
                      "message": {
                        "type": "string"
                      }
                    },
                    "required": [
                      "code",
                      "message"
                    ],
                    "type": "object",
                    "uniqueItems": true
                  },
                  "type": "array"
                }
              ],
              "example": [
                {
                  "code": 7003,
                  "message": "No route for the URI"
                }
              ],
              "minLength": 1
            },
            "messages": {
              "allOf": [
                {
                  "example": [],
                  "items": {
                    "properties": {
                      "code": {
                        "minimum": 1000,
                        "type": "integer"
                      },
                      "message": {
                        "type": "string"
                      }
                    },
                    "required": [
                      "code",
                      "message"
                    ],
                    "type": "object",
                    "uniqueItems": true
                  },
                  "type": "array"
                }
              ],
              "example": []
            },
            "result": {
              "enum": [
                null
              ],
              "nullable": true,
              "type": "object"
            },
            "success": {
              "description": "Whether the API call was successful",
              "enum": [
                false
              ],
              "example": false,
              "type": "boolean"
            }
          },
          "required": [
            "success",
            "errors",
            "messages",
            "result"
          ],
          "type": "object"
        }
      }
    },
    "description": "Create an Access policy response failure"
  }
}[
  {
    "api_email": [],
    "api_key": []
  }
]