What is the correct API endpoint and token permissions needed to update Zero Trust Access Group whitelist IP range?

I am trying to update the IP range for a specific Access Group via the API but can’t seem to understand the right combination of API token and zone/account keys.

Use case: when accessing some services behind Access, I want to transparently check (via allowlist) if the user is at that location (home). I have been using the public IP from my ISP. It’s dynamic so when it changes I need to manually update the IP in the access.

I can create a new Group but it does not show in the Access Group UI so I suspect I have the endpoint incorrect (it’s really confusing).

I am copying the group ID from inside the access rule.
I am copying the token from my user account (see permissions below).
I am copying the zone ID from the zone home page (account ID is also available here).

I have created a custom API token with the following permissions:

All accounts - Zero Trust:Edit, Access: Organizations, Identity Providers, and Groups:Edit, Access: Apps and Policies:Edit
All zones - Access: Apps and Policies:Edit, Firewall Services:Edit
curl --request PATCH \
  --url "https://api.cloudflare.com/client/v4/zones/{{ zone ID }}/firewall/access_rules/rules/{{ group ID}}"  \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer {{ custom API token }}" \
  --data '{
  "mode": "whitelist",
    "value":"{{ public IP }}"
  "notes": "Updated with latest public IP"

I get the response:

  "result": null,
  "success": false,
  "errors": [
      "code": 10001,
      "message": "firewallaccessrules.api.not_found"
  "messages": []

Can someone please point me in the right direction (or at least identify if there is something wrong with what I have above)?

Ok, progress. Updating this in case someone else finds it useful.
For a start I am using the wrong endpoint. I should be using:


And then the format is as follows:

curl --request PUT \
  --url "https://api.cloudflare.com/client/v4/accounts/{{ account ID }}/access/groups/{{ group ID }}" \
  --header 'Content-Type: application/json' \
  --header "Authorization: Bearer {{ API token }}" \
  --data '{
  "include": [
      "ip": {
        "ip": "{{ public IP}}"
  "name": "{{ name of group}}"

I can use another curl request to get the current public IP and assign that to a variable.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.