feat(api): api update (#2533)

Author: stainless-app[bot]

.stats.yml

@@ -1,2 +1,2 @@
 configured_endpoints: 1610
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-0f0082a0942d9f9edb37ef99423f7cdf16d0bfeb57c6ee5728e830b2a9ebff87.yml
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-30da43ea5d0d999bce706d59618514c0c59d657ea27ad2e228663d731023449f.yml

src/cloudflare/resources/email_security/investigate/investigate.py

@@ -141,7 +141,7 @@ def list(
         detections_only: bool | NotGiven = NOT_GIVEN,
         domain: str | NotGiven = NOT_GIVEN,
         end: Union[str, datetime] | NotGiven = NOT_GIVEN,
-        final_disposition: Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", "SPAM", "BULK"] | NotGiven = NOT_GIVEN,
+        final_disposition: Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", "SPAM", "BULK", "NONE"] | NotGiven = NOT_GIVEN,
         message_action: Literal["PREVIEW", "QUARANTINE_RELEASED", "MOVED"] | NotGiven = NOT_GIVEN,
         message_id: str | NotGiven = NOT_GIVEN,
         metric: str | NotGiven = NOT_GIVEN,
@@ -351,7 +351,7 @@ def list(
         detections_only: bool | NotGiven = NOT_GIVEN,
         domain: str | NotGiven = NOT_GIVEN,
         end: Union[str, datetime] | NotGiven = NOT_GIVEN,
-        final_disposition: Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", "SPAM", "BULK"] | NotGiven = NOT_GIVEN,
+        final_disposition: Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", "SPAM", "BULK", "NONE"] | NotGiven = NOT_GIVEN,
         message_action: Literal["PREVIEW", "QUARANTINE_RELEASED", "MOVED"] | NotGiven = NOT_GIVEN,
         message_id: str | NotGiven = NOT_GIVEN,
         metric: str | NotGiven = NOT_GIVEN,

src/cloudflare/resources/workers_for_platforms/dispatch/namespaces/scripts/secrets.py

@@ -68,7 +68,7 @@ def update(
         timeout: float | httpx.Timeout | None | NotGiven = NOT_GIVEN,
     ) -> Optional[SecretUpdateResponse]:
         """
-        Put secrets to a script uploaded to a Workers for Platforms namespace.
+        Add a secret to a script uploaded to a Workers for Platforms namespace.
 
         Args:
           account_id: Identifier
@@ -132,7 +132,7 @@ def list(
         timeout: float | httpx.Timeout | None | NotGiven = NOT_GIVEN,
     ) -> SyncSinglePage[SecretListResponse]:
         """
-        List secrets from a script uploaded to a Workers for Platforms namespace.
+        List secrets bound to a script uploaded to a Workers for Platforms namespace.
 
         Args:
           account_id: Identifier
@@ -179,7 +179,8 @@ def get(
         timeout: float | httpx.Timeout | None | NotGiven = NOT_GIVEN,
     ) -> Optional[SecretGetResponse]:
         """
-        Get secret from a script uploaded to a Workers for Platforms namespace.
+        Get a given secret binding (value omitted) on a script uploaded to a Workers for
+        Platforms namespace.
 
         Args:
           account_id: Identifier
@@ -256,7 +257,7 @@ async def update(
         timeout: float | httpx.Timeout | None | NotGiven = NOT_GIVEN,
     ) -> Optional[SecretUpdateResponse]:
         """
-        Put secrets to a script uploaded to a Workers for Platforms namespace.
+        Add a secret to a script uploaded to a Workers for Platforms namespace.
 
         Args:
           account_id: Identifier
@@ -320,7 +321,7 @@ def list(
         timeout: float | httpx.Timeout | None | NotGiven = NOT_GIVEN,
     ) -> AsyncPaginator[SecretListResponse, AsyncSinglePage[SecretListResponse]]:
         """
-        List secrets from a script uploaded to a Workers for Platforms namespace.
+        List secrets bound to a script uploaded to a Workers for Platforms namespace.
 
         Args:
           account_id: Identifier
@@ -367,7 +368,8 @@ async def get(
         timeout: float | httpx.Timeout | None | NotGiven = NOT_GIVEN,
     ) -> Optional[SecretGetResponse]:
         """
-        Get secret from a script uploaded to a Workers for Platforms namespace.
+        Get a given secret binding (value omitted) on a script uploaded to a Workers for
+        Platforms namespace.
 
         Args:
           account_id: Identifier

src/cloudflare/resources/zero_trust/access/applications/applications.py

@@ -29,7 +29,7 @@ class InvestigateListParams(TypedDict, total=False):
     end: Annotated[Union[str, datetime], PropertyInfo(format="iso8601")]
     """The end of the search date range. Defaults to `now`."""
 
-    final_disposition: Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", "SPAM", "BULK"]
+    final_disposition: Literal["MALICIOUS", "SUSPICIOUS", "SPOOF", "SPAM", "BULK", "NONE"]
     """The dispositions the search filters by."""
 
     message_action: Literal["PREVIEW", "QUARANTINE_RELEASED", "MOVED"]

src/cloudflare/types/email_security/investigate_list_params.py

@@ -29,6 +29,8 @@ class SubmissionListResponse(BaseModel):
         ]
     ] = None
 
+    original_edf_hash: Optional[str] = None
+
     outcome: Optional[str] = None
 
     outcome_disposition: Optional[

src/cloudflare/types/email_security/submission_list_response.py

@@ -111,6 +111,19 @@
     "InfrastructureApplicationPolicy",
     "InfrastructureApplicationPolicyConnectionRules",
     "InfrastructureApplicationPolicyConnectionRulesSSH",
+    "BrowserRdpApplication",
+    "BrowserRdpApplicationTargetCriterion",
+    "BrowserRdpApplicationDestination",
+    "BrowserRdpApplicationDestinationPublicDestination",
+    "BrowserRdpApplicationDestinationPrivateDestination",
+    "BrowserRdpApplicationPolicy",
+    "BrowserRdpApplicationPolicyAccessAppPolicyLink",
+    "BrowserRdpApplicationPolicyUnionMember2",
+    "BrowserRdpApplicationSCIMConfig",
+    "BrowserRdpApplicationSCIMConfigAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
 ]
 
 
@@ -2217,6 +2230,355 @@ class InfrastructureApplicationPolicy(TypedDict, total=False):
     """
 
 
+class BrowserRdpApplication(TypedDict, total=False):
+    domain: Required[str]
+    """The primary hostname and path secured by Access.
+
+    This domain will be displayed if the app is visible in the App Launcher.
+    """
+
+    target_criteria: Required[Iterable[BrowserRdpApplicationTargetCriterion]]
+
+    type: Required[str]
+    """The application type."""
+
+    account_id: str
+    """The Account ID to use for this endpoint. Mutually exclusive with the Zone ID."""
+
+    zone_id: str
+    """The Zone ID to use for this endpoint. Mutually exclusive with the Account ID."""
+
+    allow_authenticate_via_warp: bool
+    """
+    When set to true, users can authenticate to this application using their WARP
+    session. When set to false this application will always require direct IdP
+    authentication. This setting always overrides the organization setting for WARP
+    authentication.
+    """
+
+    allowed_idps: List[AllowedIdPs]
+    """The identity providers your users can select when connecting to this
+    application.
+
+    Defaults to all IdPs configured in your account.
+    """
+
+    app_launcher_visible: bool
+    """Displays the application in the App Launcher."""
+
+    auto_redirect_to_identity: bool
+    """When set to `true`, users skip the identity provider selection step during
+    login.
+
+    You must specify only one identity provider in allowed_idps.
+    """
+
+    cors_headers: CORSHeadersParam
+
+    custom_deny_message: str
+    """
+    The custom error message shown to a user when they are denied access to the
+    application.
+    """
+
+    custom_deny_url: str
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing identity-based rules.
+    """
+
+    custom_non_identity_deny_url: str
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing non-identity rules.
+    """
+
+    custom_pages: List[str]
+    """The custom pages that will be displayed when applicable for this application"""
+
+    destinations: Iterable[BrowserRdpApplicationDestination]
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    enable_binding_cookie: bool
+    """
+    Enables the binding cookie, which increases security against compromised
+    authorization tokens and CSRF attacks.
+    """
+
+    http_only_cookie_attribute: bool
+    """
+    Enables the HttpOnly cookie attribute, which increases security against XSS
+    attacks.
+    """
+
+    logo_url: str
+    """The image URL for the logo shown in the App Launcher dashboard."""
+
+    name: str
+    """The name of the application."""
+
+    options_preflight_bypass: bool
+    """
+    Allows options preflight requests to bypass Access authentication and go
+    directly to the origin. Cannot turn on if cors_headers is set.
+    """
+
+    path_cookie_attribute: bool
+    """Enables cookie paths to scope an application's JWT to the application path.
+
+    If disabled, the JWT will scope to the hostname by default
+    """
+
+    policies: List[BrowserRdpApplicationPolicy]
+    """
+    The policies that Access applies to the application, in ascending order of
+    precedence. Items can reference existing policies or create new policies
+    exclusive to the application.
+    """
+
+    same_site_cookie_attribute: str
+    """
+    Sets the SameSite cookie setting, which provides increased security against CSRF
+    attacks.
+    """
+
+    scim_config: BrowserRdpApplicationSCIMConfig
+    """Configuration for provisioning to this application via SCIM.
+
+    This is currently in closed beta.
+    """
+
+    self_hosted_domains: List[SelfHostedDomains]
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    service_auth_401_redirect: bool
+    """Returns a 401 status code when the request is blocked by a Service Auth policy."""
+
+    session_duration: str
+    """The amount of time that tokens issued for this application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+    skip_interstitial: bool
+    """Enables automatic authentication through cloudflared."""
+
+    tags: List[str]
+    """The tags you want assigned to an application.
+
+    Tags are used to filter applications in the App Launcher dashboard.
+    """
+
+
+class BrowserRdpApplicationTargetCriterion(TypedDict, total=False):
+    port: Required[int]
+    """The port that the targets use for the chosen communication protocol.
+
+    A port cannot be assigned to multiple protocols.
+    """
+
+    protocol: Required[Literal["ssh"]]
+    """The communication protocol your application secures."""
+
+    target_attributes: Required[Dict[str, List[str]]]
+    """Contains a map of target attribute keys to target attribute values."""
+
+
+class BrowserRdpApplicationDestinationPublicDestination(TypedDict, total=False):
+    type: Literal["public"]
+
+    uri: str
+    """The URI of the destination.
+
+    Public destinations' URIs can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    """
+
+
+class BrowserRdpApplicationDestinationPrivateDestination(TypedDict, total=False):
+    cidr: str
+    """The CIDR range of the destination. Single IPs will be computed as /32."""
+
+    hostname: str
+    """The hostname of the destination. Matches a valid SNI served by an HTTPS origin."""
+
+    l4_protocol: Literal["tcp", "udp"]
+    """The L4 protocol of the destination.
+
+    When omitted, both UDP and TCP traffic will match.
+    """
+
+    port_range: str
+    """The port range of the destination.
+
+    Can be a single port or a range of ports. When omitted, all ports will match.
+    """
+
+    type: Literal["private"]
+
+    vnet_id: str
+    """The VNET ID to match the destination. When omitted, all VNETs will match."""
+
+
+BrowserRdpApplicationDestination: TypeAlias = Union[
+    BrowserRdpApplicationDestinationPublicDestination, BrowserRdpApplicationDestinationPrivateDestination
+]
+
+
+class BrowserRdpApplicationPolicyAccessAppPolicyLink(TypedDict, total=False):
+    id: str
+    """The UUID of the policy"""
+
+    precedence: int
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+
+class BrowserRdpApplicationPolicyUnionMember2(TypedDict, total=False):
+    id: str
+    """The UUID of the policy"""
+
+    approval_groups: Iterable[ApprovalGroupParam]
+    """Administrators who can approve a temporary authentication request."""
+
+    approval_required: bool
+    """
+    Requires the user to request access from an administrator at the start of each
+    session.
+    """
+
+    isolation_required: bool
+    """
+    Require this application to be served in an isolated browser for users matching
+    this policy. 'Client Web Isolation' must be on for the account in order to use
+    this feature.
+    """
+
+    precedence: int
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+    purpose_justification_prompt: str
+    """A custom message that will appear on the purpose justification screen."""
+
+    purpose_justification_required: bool
+    """Require users to enter a justification when they log in to the application."""
+
+    session_duration: str
+    """The amount of time that tokens issued for the application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+
+BrowserRdpApplicationPolicy: TypeAlias = Union[
+    BrowserRdpApplicationPolicyAccessAppPolicyLink, str, BrowserRdpApplicationPolicyUnionMember2
+]
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    TypedDict, total=False
+):
+    client_id: Required[str]
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: Required[str]
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Required[Literal["access_service_token"]]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    TypedDict, total=False
+):
+    client_id: Required[str]
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: Required[str]
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Required[Literal["access_service_token"]]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasicParam,
+    SCIMConfigAuthenticationOAuthBearerTokenParam,
+    SCIMConfigAuthenticationOauth2Param,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+]
+
+BrowserRdpApplicationSCIMConfigAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasicParam,
+    SCIMConfigAuthenticationOAuthBearerTokenParam,
+    SCIMConfigAuthenticationOauth2Param,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+    Iterable[BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication],
+]
+
+
+class BrowserRdpApplicationSCIMConfig(TypedDict, total=False):
+    idp_uid: Required[str]
+    """
+    The UID of the IdP to use as the source for SCIM resources to provision to this
+    application.
+    """
+
+    remote_uri: Required[str]
+    """The base URI for the application's SCIM-compatible API."""
+
+    authentication: BrowserRdpApplicationSCIMConfigAuthentication
+    """
+    Attributes for configuring HTTP Basic authentication scheme for SCIM
+    provisioning to an application.
+    """
+
+    deactivate_on_delete: bool
+    """
+    If false, propagates DELETE requests to the target application for SCIM
+    resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+    targets do not support DELETE operations.
+    """
+
+    enabled: bool
+    """Whether SCIM provisioning is turned on for this application."""
+
+    mappings: Iterable[SCIMConfigMappingParam]
+    """
+    A list of mappings to apply to SCIM resources before provisioning them in this
+    application. These can transform or filter the resources to be provisioned.
+    """
+
+
 ApplicationCreateParams: TypeAlias = Union[
     SelfHostedApplication,
     SaaSApplication,
@@ -2227,4 +2589,5 @@ class InfrastructureApplicationPolicy(TypedDict, total=False):
     BrowserIsolationPermissionsApplication,
     BookmarkApplication,
     InfrastructureApplication,
+    BrowserRdpApplication,
 ]

src/cloudflare/types/zero_trust/access/application_create_params.py

@@ -102,6 +102,17 @@
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplication",
+    "BrowserRdpApplicationTargetCriterion",
+    "BrowserRdpApplicationDestination",
+    "BrowserRdpApplicationDestinationPublicDestination",
+    "BrowserRdpApplicationDestinationPrivateDestination",
+    "BrowserRdpApplicationPolicy",
+    "BrowserRdpApplicationSCIMConfig",
+    "BrowserRdpApplicationSCIMConfigAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
 ]
 
 
@@ -1984,6 +1995,304 @@ class InfrastructureApplication(BaseModel):
     updated_at: Optional[datetime] = None
 
 
+class BrowserRdpApplicationTargetCriterion(BaseModel):
+    port: int
+    """The port that the targets use for the chosen communication protocol.
+
+    A port cannot be assigned to multiple protocols.
+    """
+
+    protocol: Literal["ssh"]
+    """The communication protocol your application secures."""
+
+    target_attributes: Dict[str, List[str]]
+    """Contains a map of target attribute keys to target attribute values."""
+
+
+class BrowserRdpApplicationDestinationPublicDestination(BaseModel):
+    type: Optional[Literal["public"]] = None
+
+    uri: Optional[str] = None
+    """The URI of the destination.
+
+    Public destinations' URIs can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    """
+
+
+class BrowserRdpApplicationDestinationPrivateDestination(BaseModel):
+    cidr: Optional[str] = None
+    """The CIDR range of the destination. Single IPs will be computed as /32."""
+
+    hostname: Optional[str] = None
+    """The hostname of the destination. Matches a valid SNI served by an HTTPS origin."""
+
+    l4_protocol: Optional[Literal["tcp", "udp"]] = None
+    """The L4 protocol of the destination.
+
+    When omitted, both UDP and TCP traffic will match.
+    """
+
+    port_range: Optional[str] = None
+    """The port range of the destination.
+
+    Can be a single port or a range of ports. When omitted, all ports will match.
+    """
+
+    type: Optional[Literal["private"]] = None
+
+    vnet_id: Optional[str] = None
+    """The VNET ID to match the destination. When omitted, all VNETs will match."""
+
+
+BrowserRdpApplicationDestination: TypeAlias = Union[
+    BrowserRdpApplicationDestinationPublicDestination, BrowserRdpApplicationDestinationPrivateDestination
+]
+
+
+class BrowserRdpApplicationPolicy(ApplicationPolicy):
+    precedence: Optional[int] = None
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(BaseModel):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    BaseModel
+):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+]
+
+BrowserRdpApplicationSCIMConfigAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+    List[BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication],
+]
+
+
+class BrowserRdpApplicationSCIMConfig(BaseModel):
+    idp_uid: str
+    """
+    The UID of the IdP to use as the source for SCIM resources to provision to this
+    application.
+    """
+
+    remote_uri: str
+    """The base URI for the application's SCIM-compatible API."""
+
+    authentication: Optional[BrowserRdpApplicationSCIMConfigAuthentication] = None
+    """
+    Attributes for configuring HTTP Basic authentication scheme for SCIM
+    provisioning to an application.
+    """
+
+    deactivate_on_delete: Optional[bool] = None
+    """
+    If false, propagates DELETE requests to the target application for SCIM
+    resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+    targets do not support DELETE operations.
+    """
+
+    enabled: Optional[bool] = None
+    """Whether SCIM provisioning is turned on for this application."""
+
+    mappings: Optional[List[SCIMConfigMapping]] = None
+    """
+    A list of mappings to apply to SCIM resources before provisioning them in this
+    application. These can transform or filter the resources to be provisioned.
+    """
+
+
+class BrowserRdpApplication(BaseModel):
+    domain: str
+    """The primary hostname and path secured by Access.
+
+    This domain will be displayed if the app is visible in the App Launcher.
+    """
+
+    target_criteria: List[BrowserRdpApplicationTargetCriterion]
+
+    type: str
+    """The application type."""
+
+    id: Optional[str] = None
+    """UUID"""
+
+    allow_authenticate_via_warp: Optional[bool] = None
+    """
+    When set to true, users can authenticate to this application using their WARP
+    session. When set to false this application will always require direct IdP
+    authentication. This setting always overrides the organization setting for WARP
+    authentication.
+    """
+
+    allowed_idps: Optional[List[AllowedIdPs]] = None
+    """The identity providers your users can select when connecting to this
+    application.
+
+    Defaults to all IdPs configured in your account.
+    """
+
+    app_launcher_visible: Optional[bool] = None
+    """Displays the application in the App Launcher."""
+
+    aud: Optional[str] = None
+    """Audience tag."""
+
+    auto_redirect_to_identity: Optional[bool] = None
+    """When set to `true`, users skip the identity provider selection step during
+    login.
+
+    You must specify only one identity provider in allowed_idps.
+    """
+
+    cors_headers: Optional[CORSHeaders] = None
+
+    created_at: Optional[datetime] = None
+
+    custom_deny_message: Optional[str] = None
+    """
+    The custom error message shown to a user when they are denied access to the
+    application.
+    """
+
+    custom_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing identity-based rules.
+    """
+
+    custom_non_identity_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing non-identity rules.
+    """
+
+    custom_pages: Optional[List[str]] = None
+    """The custom pages that will be displayed when applicable for this application"""
+
+    destinations: Optional[List[BrowserRdpApplicationDestination]] = None
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    enable_binding_cookie: Optional[bool] = None
+    """
+    Enables the binding cookie, which increases security against compromised
+    authorization tokens and CSRF attacks.
+    """
+
+    http_only_cookie_attribute: Optional[bool] = None
+    """
+    Enables the HttpOnly cookie attribute, which increases security against XSS
+    attacks.
+    """
+
+    logo_url: Optional[str] = None
+    """The image URL for the logo shown in the App Launcher dashboard."""
+
+    name: Optional[str] = None
+    """The name of the application."""
+
+    options_preflight_bypass: Optional[bool] = None
+    """
+    Allows options preflight requests to bypass Access authentication and go
+    directly to the origin. Cannot turn on if cors_headers is set.
+    """
+
+    path_cookie_attribute: Optional[bool] = None
+    """Enables cookie paths to scope an application's JWT to the application path.
+
+    If disabled, the JWT will scope to the hostname by default
+    """
+
+    policies: Optional[List[BrowserRdpApplicationPolicy]] = None
+
+    same_site_cookie_attribute: Optional[str] = None
+    """
+    Sets the SameSite cookie setting, which provides increased security against CSRF
+    attacks.
+    """
+
+    scim_config: Optional[BrowserRdpApplicationSCIMConfig] = None
+    """Configuration for provisioning to this application via SCIM.
+
+    This is currently in closed beta.
+    """
+
+    self_hosted_domains: Optional[List[SelfHostedDomains]] = None
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    service_auth_401_redirect: Optional[bool] = None
+    """Returns a 401 status code when the request is blocked by a Service Auth policy."""
+
+    session_duration: Optional[str] = None
+    """The amount of time that tokens issued for this application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+    skip_interstitial: Optional[bool] = None
+    """Enables automatic authentication through cloudflared."""
+
+    tags: Optional[List[str]] = None
+    """The tags you want assigned to an application.
+
+    Tags are used to filter applications in the App Launcher dashboard.
+    """
+
+    updated_at: Optional[datetime] = None
+
+
 ApplicationCreateResponse: TypeAlias = Union[
     SelfHostedApplication,
     SaaSApplication,
@@ -1994,4 +2303,5 @@ class InfrastructureApplication(BaseModel):
     BrowserIsolationPermissionsApplication,
     BookmarkApplication,
     InfrastructureApplication,
+    BrowserRdpApplication,
 ]

src/cloudflare/types/zero_trust/access/application_create_response.py

@@ -102,6 +102,17 @@
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplication",
+    "BrowserRdpApplicationTargetCriterion",
+    "BrowserRdpApplicationDestination",
+    "BrowserRdpApplicationDestinationPublicDestination",
+    "BrowserRdpApplicationDestinationPrivateDestination",
+    "BrowserRdpApplicationPolicy",
+    "BrowserRdpApplicationSCIMConfig",
+    "BrowserRdpApplicationSCIMConfigAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
 ]
 
 
@@ -1984,6 +1995,304 @@ class InfrastructureApplication(BaseModel):
     updated_at: Optional[datetime] = None
 
 
+class BrowserRdpApplicationTargetCriterion(BaseModel):
+    port: int
+    """The port that the targets use for the chosen communication protocol.
+
+    A port cannot be assigned to multiple protocols.
+    """
+
+    protocol: Literal["ssh"]
+    """The communication protocol your application secures."""
+
+    target_attributes: Dict[str, List[str]]
+    """Contains a map of target attribute keys to target attribute values."""
+
+
+class BrowserRdpApplicationDestinationPublicDestination(BaseModel):
+    type: Optional[Literal["public"]] = None
+
+    uri: Optional[str] = None
+    """The URI of the destination.
+
+    Public destinations' URIs can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    """
+
+
+class BrowserRdpApplicationDestinationPrivateDestination(BaseModel):
+    cidr: Optional[str] = None
+    """The CIDR range of the destination. Single IPs will be computed as /32."""
+
+    hostname: Optional[str] = None
+    """The hostname of the destination. Matches a valid SNI served by an HTTPS origin."""
+
+    l4_protocol: Optional[Literal["tcp", "udp"]] = None
+    """The L4 protocol of the destination.
+
+    When omitted, both UDP and TCP traffic will match.
+    """
+
+    port_range: Optional[str] = None
+    """The port range of the destination.
+
+    Can be a single port or a range of ports. When omitted, all ports will match.
+    """
+
+    type: Optional[Literal["private"]] = None
+
+    vnet_id: Optional[str] = None
+    """The VNET ID to match the destination. When omitted, all VNETs will match."""
+
+
+BrowserRdpApplicationDestination: TypeAlias = Union[
+    BrowserRdpApplicationDestinationPublicDestination, BrowserRdpApplicationDestinationPrivateDestination
+]
+
+
+class BrowserRdpApplicationPolicy(ApplicationPolicy):
+    precedence: Optional[int] = None
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(BaseModel):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    BaseModel
+):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+]
+
+BrowserRdpApplicationSCIMConfigAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+    List[BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication],
+]
+
+
+class BrowserRdpApplicationSCIMConfig(BaseModel):
+    idp_uid: str
+    """
+    The UID of the IdP to use as the source for SCIM resources to provision to this
+    application.
+    """
+
+    remote_uri: str
+    """The base URI for the application's SCIM-compatible API."""
+
+    authentication: Optional[BrowserRdpApplicationSCIMConfigAuthentication] = None
+    """
+    Attributes for configuring HTTP Basic authentication scheme for SCIM
+    provisioning to an application.
+    """
+
+    deactivate_on_delete: Optional[bool] = None
+    """
+    If false, propagates DELETE requests to the target application for SCIM
+    resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+    targets do not support DELETE operations.
+    """
+
+    enabled: Optional[bool] = None
+    """Whether SCIM provisioning is turned on for this application."""
+
+    mappings: Optional[List[SCIMConfigMapping]] = None
+    """
+    A list of mappings to apply to SCIM resources before provisioning them in this
+    application. These can transform or filter the resources to be provisioned.
+    """
+
+
+class BrowserRdpApplication(BaseModel):
+    domain: str
+    """The primary hostname and path secured by Access.
+
+    This domain will be displayed if the app is visible in the App Launcher.
+    """
+
+    target_criteria: List[BrowserRdpApplicationTargetCriterion]
+
+    type: str
+    """The application type."""
+
+    id: Optional[str] = None
+    """UUID"""
+
+    allow_authenticate_via_warp: Optional[bool] = None
+    """
+    When set to true, users can authenticate to this application using their WARP
+    session. When set to false this application will always require direct IdP
+    authentication. This setting always overrides the organization setting for WARP
+    authentication.
+    """
+
+    allowed_idps: Optional[List[AllowedIdPs]] = None
+    """The identity providers your users can select when connecting to this
+    application.
+
+    Defaults to all IdPs configured in your account.
+    """
+
+    app_launcher_visible: Optional[bool] = None
+    """Displays the application in the App Launcher."""
+
+    aud: Optional[str] = None
+    """Audience tag."""
+
+    auto_redirect_to_identity: Optional[bool] = None
+    """When set to `true`, users skip the identity provider selection step during
+    login.
+
+    You must specify only one identity provider in allowed_idps.
+    """
+
+    cors_headers: Optional[CORSHeaders] = None
+
+    created_at: Optional[datetime] = None
+
+    custom_deny_message: Optional[str] = None
+    """
+    The custom error message shown to a user when they are denied access to the
+    application.
+    """
+
+    custom_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing identity-based rules.
+    """
+
+    custom_non_identity_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing non-identity rules.
+    """
+
+    custom_pages: Optional[List[str]] = None
+    """The custom pages that will be displayed when applicable for this application"""
+
+    destinations: Optional[List[BrowserRdpApplicationDestination]] = None
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    enable_binding_cookie: Optional[bool] = None
+    """
+    Enables the binding cookie, which increases security against compromised
+    authorization tokens and CSRF attacks.
+    """
+
+    http_only_cookie_attribute: Optional[bool] = None
+    """
+    Enables the HttpOnly cookie attribute, which increases security against XSS
+    attacks.
+    """
+
+    logo_url: Optional[str] = None
+    """The image URL for the logo shown in the App Launcher dashboard."""
+
+    name: Optional[str] = None
+    """The name of the application."""
+
+    options_preflight_bypass: Optional[bool] = None
+    """
+    Allows options preflight requests to bypass Access authentication and go
+    directly to the origin. Cannot turn on if cors_headers is set.
+    """
+
+    path_cookie_attribute: Optional[bool] = None
+    """Enables cookie paths to scope an application's JWT to the application path.
+
+    If disabled, the JWT will scope to the hostname by default
+    """
+
+    policies: Optional[List[BrowserRdpApplicationPolicy]] = None
+
+    same_site_cookie_attribute: Optional[str] = None
+    """
+    Sets the SameSite cookie setting, which provides increased security against CSRF
+    attacks.
+    """
+
+    scim_config: Optional[BrowserRdpApplicationSCIMConfig] = None
+    """Configuration for provisioning to this application via SCIM.
+
+    This is currently in closed beta.
+    """
+
+    self_hosted_domains: Optional[List[SelfHostedDomains]] = None
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    service_auth_401_redirect: Optional[bool] = None
+    """Returns a 401 status code when the request is blocked by a Service Auth policy."""
+
+    session_duration: Optional[str] = None
+    """The amount of time that tokens issued for this application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+    skip_interstitial: Optional[bool] = None
+    """Enables automatic authentication through cloudflared."""
+
+    tags: Optional[List[str]] = None
+    """The tags you want assigned to an application.
+
+    Tags are used to filter applications in the App Launcher dashboard.
+    """
+
+    updated_at: Optional[datetime] = None
+
+
 ApplicationGetResponse: TypeAlias = Union[
     SelfHostedApplication,
     SaaSApplication,
@@ -1994,4 +2303,5 @@ class InfrastructureApplication(BaseModel):
     BrowserIsolationPermissionsApplication,
     BookmarkApplication,
     InfrastructureApplication,
+    BrowserRdpApplication,
 ]

src/cloudflare/types/zero_trust/access/application_get_response.py

@@ -102,6 +102,17 @@
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplication",
+    "BrowserRdpApplicationTargetCriterion",
+    "BrowserRdpApplicationDestination",
+    "BrowserRdpApplicationDestinationPublicDestination",
+    "BrowserRdpApplicationDestinationPrivateDestination",
+    "BrowserRdpApplicationPolicy",
+    "BrowserRdpApplicationSCIMConfig",
+    "BrowserRdpApplicationSCIMConfigAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
 ]
 
 
@@ -1984,6 +1995,304 @@ class InfrastructureApplication(BaseModel):
     updated_at: Optional[datetime] = None
 
 
+class BrowserRdpApplicationTargetCriterion(BaseModel):
+    port: int
+    """The port that the targets use for the chosen communication protocol.
+
+    A port cannot be assigned to multiple protocols.
+    """
+
+    protocol: Literal["ssh"]
+    """The communication protocol your application secures."""
+
+    target_attributes: Dict[str, List[str]]
+    """Contains a map of target attribute keys to target attribute values."""
+
+
+class BrowserRdpApplicationDestinationPublicDestination(BaseModel):
+    type: Optional[Literal["public"]] = None
+
+    uri: Optional[str] = None
+    """The URI of the destination.
+
+    Public destinations' URIs can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    """
+
+
+class BrowserRdpApplicationDestinationPrivateDestination(BaseModel):
+    cidr: Optional[str] = None
+    """The CIDR range of the destination. Single IPs will be computed as /32."""
+
+    hostname: Optional[str] = None
+    """The hostname of the destination. Matches a valid SNI served by an HTTPS origin."""
+
+    l4_protocol: Optional[Literal["tcp", "udp"]] = None
+    """The L4 protocol of the destination.
+
+    When omitted, both UDP and TCP traffic will match.
+    """
+
+    port_range: Optional[str] = None
+    """The port range of the destination.
+
+    Can be a single port or a range of ports. When omitted, all ports will match.
+    """
+
+    type: Optional[Literal["private"]] = None
+
+    vnet_id: Optional[str] = None
+    """The VNET ID to match the destination. When omitted, all VNETs will match."""
+
+
+BrowserRdpApplicationDestination: TypeAlias = Union[
+    BrowserRdpApplicationDestinationPublicDestination, BrowserRdpApplicationDestinationPrivateDestination
+]
+
+
+class BrowserRdpApplicationPolicy(ApplicationPolicy):
+    precedence: Optional[int] = None
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(BaseModel):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    BaseModel
+):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+]
+
+BrowserRdpApplicationSCIMConfigAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+    List[BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication],
+]
+
+
+class BrowserRdpApplicationSCIMConfig(BaseModel):
+    idp_uid: str
+    """
+    The UID of the IdP to use as the source for SCIM resources to provision to this
+    application.
+    """
+
+    remote_uri: str
+    """The base URI for the application's SCIM-compatible API."""
+
+    authentication: Optional[BrowserRdpApplicationSCIMConfigAuthentication] = None
+    """
+    Attributes for configuring HTTP Basic authentication scheme for SCIM
+    provisioning to an application.
+    """
+
+    deactivate_on_delete: Optional[bool] = None
+    """
+    If false, propagates DELETE requests to the target application for SCIM
+    resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+    targets do not support DELETE operations.
+    """
+
+    enabled: Optional[bool] = None
+    """Whether SCIM provisioning is turned on for this application."""
+
+    mappings: Optional[List[SCIMConfigMapping]] = None
+    """
+    A list of mappings to apply to SCIM resources before provisioning them in this
+    application. These can transform or filter the resources to be provisioned.
+    """
+
+
+class BrowserRdpApplication(BaseModel):
+    domain: str
+    """The primary hostname and path secured by Access.
+
+    This domain will be displayed if the app is visible in the App Launcher.
+    """
+
+    target_criteria: List[BrowserRdpApplicationTargetCriterion]
+
+    type: str
+    """The application type."""
+
+    id: Optional[str] = None
+    """UUID"""
+
+    allow_authenticate_via_warp: Optional[bool] = None
+    """
+    When set to true, users can authenticate to this application using their WARP
+    session. When set to false this application will always require direct IdP
+    authentication. This setting always overrides the organization setting for WARP
+    authentication.
+    """
+
+    allowed_idps: Optional[List[AllowedIdPs]] = None
+    """The identity providers your users can select when connecting to this
+    application.
+
+    Defaults to all IdPs configured in your account.
+    """
+
+    app_launcher_visible: Optional[bool] = None
+    """Displays the application in the App Launcher."""
+
+    aud: Optional[str] = None
+    """Audience tag."""
+
+    auto_redirect_to_identity: Optional[bool] = None
+    """When set to `true`, users skip the identity provider selection step during
+    login.
+
+    You must specify only one identity provider in allowed_idps.
+    """
+
+    cors_headers: Optional[CORSHeaders] = None
+
+    created_at: Optional[datetime] = None
+
+    custom_deny_message: Optional[str] = None
+    """
+    The custom error message shown to a user when they are denied access to the
+    application.
+    """
+
+    custom_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing identity-based rules.
+    """
+
+    custom_non_identity_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing non-identity rules.
+    """
+
+    custom_pages: Optional[List[str]] = None
+    """The custom pages that will be displayed when applicable for this application"""
+
+    destinations: Optional[List[BrowserRdpApplicationDestination]] = None
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    enable_binding_cookie: Optional[bool] = None
+    """
+    Enables the binding cookie, which increases security against compromised
+    authorization tokens and CSRF attacks.
+    """
+
+    http_only_cookie_attribute: Optional[bool] = None
+    """
+    Enables the HttpOnly cookie attribute, which increases security against XSS
+    attacks.
+    """
+
+    logo_url: Optional[str] = None
+    """The image URL for the logo shown in the App Launcher dashboard."""
+
+    name: Optional[str] = None
+    """The name of the application."""
+
+    options_preflight_bypass: Optional[bool] = None
+    """
+    Allows options preflight requests to bypass Access authentication and go
+    directly to the origin. Cannot turn on if cors_headers is set.
+    """
+
+    path_cookie_attribute: Optional[bool] = None
+    """Enables cookie paths to scope an application's JWT to the application path.
+
+    If disabled, the JWT will scope to the hostname by default
+    """
+
+    policies: Optional[List[BrowserRdpApplicationPolicy]] = None
+
+    same_site_cookie_attribute: Optional[str] = None
+    """
+    Sets the SameSite cookie setting, which provides increased security against CSRF
+    attacks.
+    """
+
+    scim_config: Optional[BrowserRdpApplicationSCIMConfig] = None
+    """Configuration for provisioning to this application via SCIM.
+
+    This is currently in closed beta.
+    """
+
+    self_hosted_domains: Optional[List[SelfHostedDomains]] = None
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    service_auth_401_redirect: Optional[bool] = None
+    """Returns a 401 status code when the request is blocked by a Service Auth policy."""
+
+    session_duration: Optional[str] = None
+    """The amount of time that tokens issued for this application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+    skip_interstitial: Optional[bool] = None
+    """Enables automatic authentication through cloudflared."""
+
+    tags: Optional[List[str]] = None
+    """The tags you want assigned to an application.
+
+    Tags are used to filter applications in the App Launcher dashboard.
+    """
+
+    updated_at: Optional[datetime] = None
+
+
 ApplicationListResponse: TypeAlias = Union[
     SelfHostedApplication,
     SaaSApplication,
@@ -1994,4 +2303,5 @@ class InfrastructureApplication(BaseModel):
     BrowserIsolationPermissionsApplication,
     BookmarkApplication,
     InfrastructureApplication,
+    BrowserRdpApplication,
 ]

src/cloudflare/types/zero_trust/access/application_list_response.py

@@ -5,5 +5,5 @@
 __all__ = ["ApplicationType"]
 
 ApplicationType: TypeAlias = Literal[
-    "self_hosted", "saas", "ssh", "vnc", "app_launcher", "warp", "biso", "bookmark", "dash_sso", "infrastructure"
+    "self_hosted", "saas", "ssh", "vnc", "app_launcher", "warp", "biso", "bookmark", "dash_sso", "infrastructure", "rdp"
 ]

src/cloudflare/types/zero_trust/access/application_type.py

@@ -111,6 +111,19 @@
     "InfrastructureApplicationPolicy",
     "InfrastructureApplicationPolicyConnectionRules",
     "InfrastructureApplicationPolicyConnectionRulesSSH",
+    "BrowserRdpApplication",
+    "BrowserRdpApplicationTargetCriterion",
+    "BrowserRdpApplicationDestination",
+    "BrowserRdpApplicationDestinationPublicDestination",
+    "BrowserRdpApplicationDestinationPrivateDestination",
+    "BrowserRdpApplicationPolicy",
+    "BrowserRdpApplicationPolicyAccessAppPolicyLink",
+    "BrowserRdpApplicationPolicyUnionMember2",
+    "BrowserRdpApplicationSCIMConfig",
+    "BrowserRdpApplicationSCIMConfigAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
 ]
 
 
@@ -2217,6 +2230,355 @@ class InfrastructureApplicationPolicy(TypedDict, total=False):
     """
 
 
+class BrowserRdpApplication(TypedDict, total=False):
+    domain: Required[str]
+    """The primary hostname and path secured by Access.
+
+    This domain will be displayed if the app is visible in the App Launcher.
+    """
+
+    target_criteria: Required[Iterable[BrowserRdpApplicationTargetCriterion]]
+
+    type: Required[str]
+    """The application type."""
+
+    account_id: str
+    """The Account ID to use for this endpoint. Mutually exclusive with the Zone ID."""
+
+    zone_id: str
+    """The Zone ID to use for this endpoint. Mutually exclusive with the Account ID."""
+
+    allow_authenticate_via_warp: bool
+    """
+    When set to true, users can authenticate to this application using their WARP
+    session. When set to false this application will always require direct IdP
+    authentication. This setting always overrides the organization setting for WARP
+    authentication.
+    """
+
+    allowed_idps: List[AllowedIdPs]
+    """The identity providers your users can select when connecting to this
+    application.
+
+    Defaults to all IdPs configured in your account.
+    """
+
+    app_launcher_visible: bool
+    """Displays the application in the App Launcher."""
+
+    auto_redirect_to_identity: bool
+    """When set to `true`, users skip the identity provider selection step during
+    login.
+
+    You must specify only one identity provider in allowed_idps.
+    """
+
+    cors_headers: CORSHeadersParam
+
+    custom_deny_message: str
+    """
+    The custom error message shown to a user when they are denied access to the
+    application.
+    """
+
+    custom_deny_url: str
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing identity-based rules.
+    """
+
+    custom_non_identity_deny_url: str
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing non-identity rules.
+    """
+
+    custom_pages: List[str]
+    """The custom pages that will be displayed when applicable for this application"""
+
+    destinations: Iterable[BrowserRdpApplicationDestination]
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    enable_binding_cookie: bool
+    """
+    Enables the binding cookie, which increases security against compromised
+    authorization tokens and CSRF attacks.
+    """
+
+    http_only_cookie_attribute: bool
+    """
+    Enables the HttpOnly cookie attribute, which increases security against XSS
+    attacks.
+    """
+
+    logo_url: str
+    """The image URL for the logo shown in the App Launcher dashboard."""
+
+    name: str
+    """The name of the application."""
+
+    options_preflight_bypass: bool
+    """
+    Allows options preflight requests to bypass Access authentication and go
+    directly to the origin. Cannot turn on if cors_headers is set.
+    """
+
+    path_cookie_attribute: bool
+    """Enables cookie paths to scope an application's JWT to the application path.
+
+    If disabled, the JWT will scope to the hostname by default
+    """
+
+    policies: List[BrowserRdpApplicationPolicy]
+    """
+    The policies that Access applies to the application, in ascending order of
+    precedence. Items can reference existing policies or create new policies
+    exclusive to the application.
+    """
+
+    same_site_cookie_attribute: str
+    """
+    Sets the SameSite cookie setting, which provides increased security against CSRF
+    attacks.
+    """
+
+    scim_config: BrowserRdpApplicationSCIMConfig
+    """Configuration for provisioning to this application via SCIM.
+
+    This is currently in closed beta.
+    """
+
+    self_hosted_domains: List[SelfHostedDomains]
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    service_auth_401_redirect: bool
+    """Returns a 401 status code when the request is blocked by a Service Auth policy."""
+
+    session_duration: str
+    """The amount of time that tokens issued for this application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+    skip_interstitial: bool
+    """Enables automatic authentication through cloudflared."""
+
+    tags: List[str]
+    """The tags you want assigned to an application.
+
+    Tags are used to filter applications in the App Launcher dashboard.
+    """
+
+
+class BrowserRdpApplicationTargetCriterion(TypedDict, total=False):
+    port: Required[int]
+    """The port that the targets use for the chosen communication protocol.
+
+    A port cannot be assigned to multiple protocols.
+    """
+
+    protocol: Required[Literal["ssh"]]
+    """The communication protocol your application secures."""
+
+    target_attributes: Required[Dict[str, List[str]]]
+    """Contains a map of target attribute keys to target attribute values."""
+
+
+class BrowserRdpApplicationDestinationPublicDestination(TypedDict, total=False):
+    type: Literal["public"]
+
+    uri: str
+    """The URI of the destination.
+
+    Public destinations' URIs can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    """
+
+
+class BrowserRdpApplicationDestinationPrivateDestination(TypedDict, total=False):
+    cidr: str
+    """The CIDR range of the destination. Single IPs will be computed as /32."""
+
+    hostname: str
+    """The hostname of the destination. Matches a valid SNI served by an HTTPS origin."""
+
+    l4_protocol: Literal["tcp", "udp"]
+    """The L4 protocol of the destination.
+
+    When omitted, both UDP and TCP traffic will match.
+    """
+
+    port_range: str
+    """The port range of the destination.
+
+    Can be a single port or a range of ports. When omitted, all ports will match.
+    """
+
+    type: Literal["private"]
+
+    vnet_id: str
+    """The VNET ID to match the destination. When omitted, all VNETs will match."""
+
+
+BrowserRdpApplicationDestination: TypeAlias = Union[
+    BrowserRdpApplicationDestinationPublicDestination, BrowserRdpApplicationDestinationPrivateDestination
+]
+
+
+class BrowserRdpApplicationPolicyAccessAppPolicyLink(TypedDict, total=False):
+    id: str
+    """The UUID of the policy"""
+
+    precedence: int
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+
+class BrowserRdpApplicationPolicyUnionMember2(TypedDict, total=False):
+    id: str
+    """The UUID of the policy"""
+
+    approval_groups: Iterable[ApprovalGroupParam]
+    """Administrators who can approve a temporary authentication request."""
+
+    approval_required: bool
+    """
+    Requires the user to request access from an administrator at the start of each
+    session.
+    """
+
+    isolation_required: bool
+    """
+    Require this application to be served in an isolated browser for users matching
+    this policy. 'Client Web Isolation' must be on for the account in order to use
+    this feature.
+    """
+
+    precedence: int
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+    purpose_justification_prompt: str
+    """A custom message that will appear on the purpose justification screen."""
+
+    purpose_justification_required: bool
+    """Require users to enter a justification when they log in to the application."""
+
+    session_duration: str
+    """The amount of time that tokens issued for the application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+
+BrowserRdpApplicationPolicy: TypeAlias = Union[
+    BrowserRdpApplicationPolicyAccessAppPolicyLink, str, BrowserRdpApplicationPolicyUnionMember2
+]
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    TypedDict, total=False
+):
+    client_id: Required[str]
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: Required[str]
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Required[Literal["access_service_token"]]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    TypedDict, total=False
+):
+    client_id: Required[str]
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: Required[str]
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Required[Literal["access_service_token"]]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasicParam,
+    SCIMConfigAuthenticationOAuthBearerTokenParam,
+    SCIMConfigAuthenticationOauth2Param,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+]
+
+BrowserRdpApplicationSCIMConfigAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasicParam,
+    SCIMConfigAuthenticationOAuthBearerTokenParam,
+    SCIMConfigAuthenticationOauth2Param,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+    Iterable[BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication],
+]
+
+
+class BrowserRdpApplicationSCIMConfig(TypedDict, total=False):
+    idp_uid: Required[str]
+    """
+    The UID of the IdP to use as the source for SCIM resources to provision to this
+    application.
+    """
+
+    remote_uri: Required[str]
+    """The base URI for the application's SCIM-compatible API."""
+
+    authentication: BrowserRdpApplicationSCIMConfigAuthentication
+    """
+    Attributes for configuring HTTP Basic authentication scheme for SCIM
+    provisioning to an application.
+    """
+
+    deactivate_on_delete: bool
+    """
+    If false, propagates DELETE requests to the target application for SCIM
+    resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+    targets do not support DELETE operations.
+    """
+
+    enabled: bool
+    """Whether SCIM provisioning is turned on for this application."""
+
+    mappings: Iterable[SCIMConfigMappingParam]
+    """
+    A list of mappings to apply to SCIM resources before provisioning them in this
+    application. These can transform or filter the resources to be provisioned.
+    """
+
+
 ApplicationUpdateParams: TypeAlias = Union[
     SelfHostedApplication,
     SaaSApplication,
@@ -2227,4 +2589,5 @@ class InfrastructureApplicationPolicy(TypedDict, total=False):
     BrowserIsolationPermissionsApplication,
     BookmarkApplication,
     InfrastructureApplication,
+    BrowserRdpApplication,
 ]

src/cloudflare/types/zero_trust/access/application_update_params.py

@@ -102,6 +102,17 @@
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
     "InfrastructureApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplication",
+    "BrowserRdpApplicationTargetCriterion",
+    "BrowserRdpApplicationDestination",
+    "BrowserRdpApplicationDestinationPublicDestination",
+    "BrowserRdpApplicationDestinationPrivateDestination",
+    "BrowserRdpApplicationPolicy",
+    "BrowserRdpApplicationSCIMConfig",
+    "BrowserRdpApplicationSCIMConfigAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication",
+    "BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken",
 ]
 
 
@@ -1984,6 +1995,304 @@ class InfrastructureApplication(BaseModel):
     updated_at: Optional[datetime] = None
 
 
+class BrowserRdpApplicationTargetCriterion(BaseModel):
+    port: int
+    """The port that the targets use for the chosen communication protocol.
+
+    A port cannot be assigned to multiple protocols.
+    """
+
+    protocol: Literal["ssh"]
+    """The communication protocol your application secures."""
+
+    target_attributes: Dict[str, List[str]]
+    """Contains a map of target attribute keys to target attribute values."""
+
+
+class BrowserRdpApplicationDestinationPublicDestination(BaseModel):
+    type: Optional[Literal["public"]] = None
+
+    uri: Optional[str] = None
+    """The URI of the destination.
+
+    Public destinations' URIs can include a domain and path with
+    [wildcards](https://developers.cloudflare.com/cloudflare-one/policies/access/app-paths/).
+    """
+
+
+class BrowserRdpApplicationDestinationPrivateDestination(BaseModel):
+    cidr: Optional[str] = None
+    """The CIDR range of the destination. Single IPs will be computed as /32."""
+
+    hostname: Optional[str] = None
+    """The hostname of the destination. Matches a valid SNI served by an HTTPS origin."""
+
+    l4_protocol: Optional[Literal["tcp", "udp"]] = None
+    """The L4 protocol of the destination.
+
+    When omitted, both UDP and TCP traffic will match.
+    """
+
+    port_range: Optional[str] = None
+    """The port range of the destination.
+
+    Can be a single port or a range of ports. When omitted, all ports will match.
+    """
+
+    type: Optional[Literal["private"]] = None
+
+    vnet_id: Optional[str] = None
+    """The VNET ID to match the destination. When omitted, all VNETs will match."""
+
+
+BrowserRdpApplicationDestination: TypeAlias = Union[
+    BrowserRdpApplicationDestinationPublicDestination, BrowserRdpApplicationDestinationPrivateDestination
+]
+
+
+class BrowserRdpApplicationPolicy(ApplicationPolicy):
+    precedence: Optional[int] = None
+    """The order of execution for this policy.
+
+    Must be unique for each policy within an app.
+    """
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(BaseModel):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+class BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken(
+    BaseModel
+):
+    client_id: str
+    """
+    Client ID of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    client_secret: str
+    """
+    Client secret of the Access service token used to authenticate with the remote
+    service.
+    """
+
+    scheme: Literal["access_service_token"]
+    """The authentication scheme to use when making SCIM requests to this application."""
+
+
+BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+]
+
+BrowserRdpApplicationSCIMConfigAuthentication: TypeAlias = Union[
+    SCIMConfigAuthenticationHTTPBasic,
+    SCIMConfigAuthenticationOAuthBearerToken,
+    SCIMConfigAuthenticationOauth2,
+    BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigAuthenticationAccessServiceToken,
+    List[BrowserRdpApplicationSCIMConfigAuthenticationAccessSCIMConfigMultiAuthentication],
+]
+
+
+class BrowserRdpApplicationSCIMConfig(BaseModel):
+    idp_uid: str
+    """
+    The UID of the IdP to use as the source for SCIM resources to provision to this
+    application.
+    """
+
+    remote_uri: str
+    """The base URI for the application's SCIM-compatible API."""
+
+    authentication: Optional[BrowserRdpApplicationSCIMConfigAuthentication] = None
+    """
+    Attributes for configuring HTTP Basic authentication scheme for SCIM
+    provisioning to an application.
+    """
+
+    deactivate_on_delete: Optional[bool] = None
+    """
+    If false, propagates DELETE requests to the target application for SCIM
+    resources. If true, sets 'active' to false on the SCIM resource. Note: Some
+    targets do not support DELETE operations.
+    """
+
+    enabled: Optional[bool] = None
+    """Whether SCIM provisioning is turned on for this application."""
+
+    mappings: Optional[List[SCIMConfigMapping]] = None
+    """
+    A list of mappings to apply to SCIM resources before provisioning them in this
+    application. These can transform or filter the resources to be provisioned.
+    """
+
+
+class BrowserRdpApplication(BaseModel):
+    domain: str
+    """The primary hostname and path secured by Access.
+
+    This domain will be displayed if the app is visible in the App Launcher.
+    """
+
+    target_criteria: List[BrowserRdpApplicationTargetCriterion]
+
+    type: str
+    """The application type."""
+
+    id: Optional[str] = None
+    """UUID"""
+
+    allow_authenticate_via_warp: Optional[bool] = None
+    """
+    When set to true, users can authenticate to this application using their WARP
+    session. When set to false this application will always require direct IdP
+    authentication. This setting always overrides the organization setting for WARP
+    authentication.
+    """
+
+    allowed_idps: Optional[List[AllowedIdPs]] = None
+    """The identity providers your users can select when connecting to this
+    application.
+
+    Defaults to all IdPs configured in your account.
+    """
+
+    app_launcher_visible: Optional[bool] = None
+    """Displays the application in the App Launcher."""
+
+    aud: Optional[str] = None
+    """Audience tag."""
+
+    auto_redirect_to_identity: Optional[bool] = None
+    """When set to `true`, users skip the identity provider selection step during
+    login.
+
+    You must specify only one identity provider in allowed_idps.
+    """
+
+    cors_headers: Optional[CORSHeaders] = None
+
+    created_at: Optional[datetime] = None
+
+    custom_deny_message: Optional[str] = None
+    """
+    The custom error message shown to a user when they are denied access to the
+    application.
+    """
+
+    custom_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing identity-based rules.
+    """
+
+    custom_non_identity_deny_url: Optional[str] = None
+    """
+    The custom URL a user is redirected to when they are denied access to the
+    application when failing non-identity rules.
+    """
+
+    custom_pages: Optional[List[str]] = None
+    """The custom pages that will be displayed when applicable for this application"""
+
+    destinations: Optional[List[BrowserRdpApplicationDestination]] = None
+    """List of destinations secured by Access.
+
+    This supersedes `self_hosted_domains` to allow for more flexibility in defining
+    different types of domains. If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    enable_binding_cookie: Optional[bool] = None
+    """
+    Enables the binding cookie, which increases security against compromised
+    authorization tokens and CSRF attacks.
+    """
+
+    http_only_cookie_attribute: Optional[bool] = None
+    """
+    Enables the HttpOnly cookie attribute, which increases security against XSS
+    attacks.
+    """
+
+    logo_url: Optional[str] = None
+    """The image URL for the logo shown in the App Launcher dashboard."""
+
+    name: Optional[str] = None
+    """The name of the application."""
+
+    options_preflight_bypass: Optional[bool] = None
+    """
+    Allows options preflight requests to bypass Access authentication and go
+    directly to the origin. Cannot turn on if cors_headers is set.
+    """
+
+    path_cookie_attribute: Optional[bool] = None
+    """Enables cookie paths to scope an application's JWT to the application path.
+
+    If disabled, the JWT will scope to the hostname by default
+    """
+
+    policies: Optional[List[BrowserRdpApplicationPolicy]] = None
+
+    same_site_cookie_attribute: Optional[str] = None
+    """
+    Sets the SameSite cookie setting, which provides increased security against CSRF
+    attacks.
+    """
+
+    scim_config: Optional[BrowserRdpApplicationSCIMConfig] = None
+    """Configuration for provisioning to this application via SCIM.
+
+    This is currently in closed beta.
+    """
+
+    self_hosted_domains: Optional[List[SelfHostedDomains]] = None
+    """List of public domains that Access will secure.
+
+    This field is deprecated in favor of `destinations` and will be supported until
+    **November 21, 2025.** If `destinations` are provided, then
+    `self_hosted_domains` will be ignored.
+    """
+
+    service_auth_401_redirect: Optional[bool] = None
+    """Returns a 401 status code when the request is blocked by a Service Auth policy."""
+
+    session_duration: Optional[str] = None
+    """The amount of time that tokens issued for this application will be valid.
+
+    Must be in the format `300ms` or `2h45m`. Valid time units are: ns, us (or µs),
+    ms, s, m, h.
+    """
+
+    skip_interstitial: Optional[bool] = None
+    """Enables automatic authentication through cloudflared."""
+
+    tags: Optional[List[str]] = None
+    """The tags you want assigned to an application.
+
+    Tags are used to filter applications in the App Launcher dashboard.
+    """
+
+    updated_at: Optional[datetime] = None
+
+
 ApplicationUpdateResponse: TypeAlias = Union[
     SelfHostedApplication,
     SaaSApplication,
@@ -1994,4 +2303,5 @@ class InfrastructureApplication(BaseModel):
     BrowserIsolationPermissionsApplication,
     BookmarkApplication,
     InfrastructureApplication,
+    BrowserRdpApplication,
 ]