Create an access rule
POST
/api/zones/{zoneId}/access-rules
Creates a new access rule in the given zone. The rule name must be unique within the zone, and "conditions" must contain at least one condition describing when the rule applies. The "action" field determines what happens when the conditions match; when it is "skip", "skipTargets" lists the security features to bypass. The zone's configured access rule limit must not be exceeded.
Authorizations
ApiToken
Long-lived API token created via POST /api/api-tokens (returned once in plaintext).
Type
API Key (header: X-API-TOKEN)
or
JWT
JWT access token obtained via POST /api/auth/login. Send as: Authorization: Bearer
Type
HTTP (bearer)
Parameters
Path Parameters
zoneId*
Zone identifier
Type
Requiredstring
Request Body
JSON "name": "Block office IP range", "description": "Blocks traffic originating from the corporate office subnet.", "conditions": { "logic": "string", "conditions": [ { "field": "string", "operator": "string", "target": "X-Custom-Header", "value": "string" } ] }, "action": "block", "skipTargets": [ [ "waf", "rateLimiting" ] ], "order": 10, "enabled": true, "stopOnMatch": false
{
}
Responses
access-rule resource created
JSON "@context": "string", "@id": "string", "@type": "string", "id": "3fa85f64-5717-4562-b3fc-2c963f66afa6", "zone": "https://example.com/", "name": "Block office IP range", "description": "Blocks traffic originating from the corporate office subnet.", "conditions": { "logic": "string", "conditions": [ { "field": "string", "operator": "string", "target": "X-Custom-Header", "value": "string" } ] }, "action": "string", "skipTargets": [ ], "order": 10, "enabled": true, "stopOnMatch": false, "createdAt": "2026-01-15T09:30:00+00:00", "updatedAt": "2026-01-20T14:45:00+00:00"
{
}
