release: 6.3.0

[stainless-app]

Automated Release PR

6.3.0 (2026-05-21)

Full Changelog: v6.2.0...v6.3.0

Features

New Resources

• dls: add DLS (Data Localization Suite) resource with regions (list/get) and regionalServices.prefixBindings (create/list/delete/edit/get) sub-resources (4dcf0db)

New Sub-Resources

• organizations: add billing.usage sub-resource — FOCUS v1.3 cost-and-usage dataset (get) at /organizations/{organization_id}/billable/usage (2c93faf)
• r2: add buckets.objects sub-resource — list, delete, get, upload (PUT) for direct R2 object operations (94a26fc)
• workers: add observability.queries sub-resource — create and list saved telemetry queries (d1f8d27)
• zero-trust: add access.samlCertificates sub-resource — list, get, getPem, rotate SAML signing certificate sets at the account level (4d75785)
• zero-trust: add identityProviders.samlCertificate sub-resource — create a SAML encryption certificate set bound to an Identity Provider (4d75785)

New Methods

• billing: add usage.get method — FOCUS v1.3 cost-and-usage dataset at /accounts/{account_id}/billable/usage (returns UsageGetResponse with BillingAccountId, ChargeCategory, ConsumedQuantity, BilledCost, EffectiveCost, etc.) (665f6ea)
• secrets-store: add stores.get method — fetch a single store by ID (GET /accounts/{account_id}/secrets_store/stores/{store_id}) returning StoreGetResponse (542f312)
• workers: add scripts.secrets.bulkUpdate method — PATCH /accounts/{account_id}/workers/scripts/{script_name}/secrets-bulk for bulk secret updates (840cea9)
• workers-for-platforms: add dispatch.namespaces.scripts.secrets.bulkUpdate method — same bulk-update endpoint for dispatch-namespace scripts (840cea9)

New Fields and Parameters

• ai: add format?: 'openrouter' query param to models.list for returning models in the OpenRouter marketplace format (a3ba7fc)
• aisearch: add degraded?: boolean response field to InstanceStatsResponse and namespaces.instances.InstanceStatsResponse — set when status counts are unavailable (e.g. legacy stats query exceeded D1 statement-size limit) (49c2987)
• cloudforce-one: add alpha2: string field to threatEvents.countries.list response items (CountryListResponseItem.Result) alongside the existing alpha3/name fields (0aa9ae0)
• custom-certificates: private_key on CustomCertificateCreateParams is now optional when custom_csr_id is provided (previously always required) (6e90245)
• logpush: add mnm_flow_logs to the dataset enum on datasets.fields.get, datasets.jobs.get, LogpushJob.dataset, and JobCreateParams.dataset (5bc2413)
• organizations: Organizations API moved from Closed Beta to Public Beta — affects organizations.create, update, list, delete, get, and organizationProfile.update/get docstrings (54b7f07)
• radar: add CONTENT_TYPE dimension and contentType?: Array<'HTML' | 'IMAGES' | 'JSON' | 'JAVASCRIPT' | 'CSS' | 'PLAIN_TEXT' | 'FONTS' | 'XML' | 'YAML' | 'VIDEO' | 'AUDIO' | 'MARKDOWN' | 'DOCUMENTS' | 'BINARY' | 'SERIALIZATION' | 'OTHER'> filter param to radar.http.summaryV2, timeseriesGroups, and related HTTP analytics methods (d5bc24a)
• spectrum: add virtual_network_id?: string field to OriginDNS config on AppCreateResponse, AppUpdateResponse, AppListResponse, AppGetResponse, AppCreateParams, and AppUpdateParams — routes origin traffic through tunnel virtual networks (1afad1f)
• workers: add 'opentelemetry-metrics' enum value to logpushDataset field on observability.destinations (DestinationCreateResponse.Configuration, DestinationUpdateResponse.Configuration, DestinationListResponse.Configuration) (d1f8d27)
• workers: add observability.traces.propagation_policy?: 'authenticated' | 'accept' field on Worker, WorkerCreateParams, WorkerUpdateParams, ScriptSetting, SettingEditParams, and script-and-version-settings — controls how inbound traceparent/tracestate headers are honored (d1f8d27)
• workers: add ends_with filter operation and ENDS_WITH comparison enum value to observability.telemetry.query filters (d1f8d27)
• workers: add preview?: { id?: string; name?: string; slug?: string } field to TelemetryQueryResponse.UnionMember0 and UnionMember1 event items — surfaces preview deployment metadata on telemetry results (d1f8d27)
• workers: narrow observability.telemetry source field type from string | unknown to string | { [key: string]: unknown } — non-breaking type refinement that gives consumers better inference (d1f8d27)
• zero-trust: add Cloudflare-as-Identity-Provider — new 'cloudflare' value in IdentityProviderType and IdentityProviderTypeParam unions, plus a new AccessCloudflare interface variant added to IdentityProvider, IdentityProviderParam, IdentityProviderListResponse, IdentityProviderCreateParams, and IdentityProviderUpdateParams unions (4d75785)
• zero-trust: add AccessCloudflareAccountMemberRule policy rule type to AccessRule union (and AccessRuleParam) — matches users who are members of a specific Cloudflare account; pairs with the new Cloudflare IdP type (4d75785)
• zero-trust: add saml_certificate_set? and saml_certificate_set_id? fields across all 16 Identity Provider variants (AzureAD, AccessCentrify, AccessCloudflare, AccessFacebook, AccessGitHub, AccessGoogle, AccessGoogleApps, AccessLinkedin, AccessOIDC, AccessOkta, AccessOnelogin, AccessOnetimepin, AccessPingone, AccessSAML, AccessYandex, and the new AccessCloudflare) — references the bound SAML encryption certificate set (4d75785)
• zero-trust: add error_details? (with cause, is_upstream, mcp_code, retryable, status_code fields) and is_shared_oauth_callback_enabled?: boolean to access.aiControls.mcp.portals and mcp.servers response types — surfaces MCP gateway error details and shared-OAuth-callback rollout state (dc1c78c)
• zero-trust: add portal_description? and server_description? fields to access.aiControls.mcp.portals Server.UpdatedPrompt (Create/Update/List/Get response variants); the older description? field is now @deprecated in favor of these — portal-level wins when present, otherwise falls back to server-level (dc1c78c)
• zero-trust: refine access.aiControls.mcp.servers.ServerSyncResponse from unknown to { error?: string; error_details?: ServerSyncResponse.ErrorDetails; status?: string } — gives consumers a typed shape with MCP error details (dc1c78c)
• zero-trust: add auth_state?: Array<'Good' | 'Notified' | 'Will Block' | 'Blocked'> field to KolideInput and KolideInputParam device-posture types — restricts the posture check to specific Kolide auth states (dc1c78c)

Deprecations

• zero-trust: access.aiControls.mcp.portals Server.UpdatedPrompt.description? is now @deprecated. Use the new portal_description? or server_description? fields instead. The deprecated field is still populated for backward compatibility (portal-level wins when present, otherwise falls back to server-level) and will be removed after a deprecation window. (dc1c78c)

Breaking Changes

• billing: the underlying API endpoint for client.billing.usage.paygo() changed from GET /accounts/{account_id}/billing/usage/paygo to GET /accounts/{account_id}/paygo-usage. The SDK call site, method signature, params, and return type are unchanged — existing code does not need to be modified. This is recorded as a breaking change because the underlying API contract moved; users on older SDK versions may see 404s if the old URL is retired by the Cloudflare API server. (665f6ea)

Chores

• ai: documentation tightening across model list responses (a3ba7fc)
• cloudforce-one: documentation refresh on threat-events country fields (0aa9ae0)
• email-sending: internal client-name string update (1199217)
• intel: rephrase sinkhole field descriptions for clarity (b471160)
• radar: trailing chore from previous sync round (6446c29)
• workers-for-platforms: documentation updates on existing dispatch endpoints alongside the bulkUpdate addition (074b214)
• zero-trust: generated-output churn alongside the SAML certificate work (dc1c78c), (40ea4d5)
• sync codegen shared files (api.md, .stats.yml, scripts/detect-breaking-changes, src/index.ts, src/resources/index.ts) across multiple sync rounds (4d7dd4d), (fdef412), (22e2a09), (7e4b075)

Migration Guide

This guide covers the breaking change in v6.3.0 and how to update your code.

---

1. Billing: usage.paygo endpoint URL changed

What changed:
The HTTP endpoint that backs client.billing.usage.paygo() was renamed from
/accounts/{account_id}/billing/usage/paygo to /accounts/{account_id}/paygo-usage.

Impact:
None at the SDK level. The method name, parameter shape (UsagePaygoParams),
and return type (UsagePaygoResponse) are all unchanged. Existing code
calling client.billing.usage.paygo({ account_id, from, to }) continues to
work without modification.

The "breaking change" label is conservative: it acknowledges that the
underlying API path moved, so users who pin to an older SDK version may
eventually see 404 responses if the Cloudflare API team retires the old
path. If the API team keeps both paths alive during the transition (the usual
behaviour), there is no user-visible breakage.

Affected Method:

• client.billing.usage.paygo

Before (v6.2.0):

const usage = await client.billing.usage.paygo({
  account_id: '023e105f4ecef8ad9ca31a8372d0c353',
  from: '2025-05-01',
  to: '2025-05-31',
});
// SDK calls: GET /accounts/023e105f4ecef8ad9ca31a8372d0c353/billing/usage/paygo

After (v6.3.0):

const usage = await client.billing.usage.paygo({
  account_id: '023e105f4ecef8ad9ca31a8372d0c353',
  from: '2025-05-01',
  to: '2025-05-31',
});
// SDK calls: GET /accounts/023e105f4ecef8ad9ca31a8372d0c353/paygo-usage

Actions Needed:

1. No code changes required for normal SDK consumers.
2. If you maintain a proxy or URL allow-list that filters Cloudflare API
   requests by path, add /accounts/*/paygo-usage to the allow-list.
3. Consider also adopting the new client.billing.usage.get() method, which
   returns the FinOps FOCUS v1.3 cost-and-usage dataset for more detailed
   cost reporting.

---

Summary

#	Resource	Change	Action
1	Billing	usage.paygo endpoint URL moved from /billing/usage/paygo to /paygo-usage	None at SDK level; update proxy/URL allow-lists if applicable

---

This pull request is managed by Stainless's GitHub App.

The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.

For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.

🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions

[stainless-app]

🤖 Release is at https://github.com/cloudflare/cloudflare-typescript/releases/tag/v6.3.0 🌻