BeyondCorp API

Name: BeyondCorp API API
Brand: BeyondCorp API
Availability: InStock

✓ Official Vendor SpecIdentity AuthAuthorizationoauth223 EndpointsREST

For Agents

Provision and manage Google Cloud BeyondCorp app connectors and app gateways for zero-trust access to internal applications.

Quickstart

Get started with BeyondCorp API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create a Google BeyondCorp app connector"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with BeyondCorp API API.

Report connector status from a deployed app connector via /v1/{+appConnector}:reportStatus

Resolve an app connector's instance configuration with /v1/{+appConnector}:resolveInstanceConfig at boot time

Create, patch, and delete app connectors and app gateways as long-running operations

List app connectors and app gateways scoped to a project and location

GET STARTED

Start building with BeyondCorp API API

Explore with Jentic

View OpenAPI Document

Use for: I need to register a new BeyondCorp app connector for an internal HR app, List every app connector in my organisation and its current state, Resolve the instance config for an app connector starting up in a VM, Patch an app gateway to update its display name and labels

Not supported: Does not authenticate end users, evaluate per-request access policies, or replace Identity-Aware Proxy — use for app connector and gateway lifecycle in BeyondCorp only.

The BeyondCorp API manages Google Cloud's zero-trust access product, exposing operations to provision and manage app connectors, app gateways, and the application links that connect users to internal applications without a VPN. App connectors report their status and resolve their instance configuration via dedicated endpoints, and the API supports long-running operations for create, patch, and delete flows. The API is the control plane that wires identity-aware proxies into enterprise applications. It does not authenticate end users or evaluate access policies at request time.

Use Cases

Patterns agents use BeyondCorp API API for, with concrete tasks.

★ Zero-Trust Access for Internal Web Apps

Replace a VPN-based access pattern for internal web applications by registering BeyondCorp app connectors and app gateways through the API. Once provisioned, identity-aware proxy policies (configured in IAP) gate user access. The API takes care of the connector lifecycle so admins do not have to script it manually.

POST a new app connector resource to /v1/{parent}/appConnectors and poll the operation until done.

Connector Health Reporting

Have deployed app connectors report their health back to the control plane on a schedule using the reportStatus endpoint. Combined with resolveInstanceConfig at boot, this gives the BeyondCorp control plane an authoritative view of connector fleet health for use in dashboards and alerts.

POST a status payload to /v1/{appConnector}:reportStatus from the connector VM on a 60-second cadence.

App Gateway Lifecycle Automation

Create, update, and decommission app gateways from infrastructure-as-code by calling the gateway endpoints. Long-running operations let pipelines wait for provisioning to settle before flipping DNS or load-balancer config to point at the new gateway.

POST an app gateway create request, poll the operation, and PATCH its labels once the gateway reports running.

AI Agent Connector Registration via Jentic

Use an AI agent to onboard new internal apps by creating a BeyondCorp app connector, waiting for it to come online, and reporting back the resulting resource name. Through Jentic the agent finds operations by intent and runs them with project credentials at execute time, so onboarding can be triggered from a chat interface or ticket.

Use Jentic search for 'create a BeyondCorp app connector', execute it with the requested name and labels, and poll the returned operation until done.

Key Endpoints

23 endpoints — the beyondcorp api manages google cloud's zero-trust access product, exposing operations to provision and manage app connectors, app gateways, and the application links that connect users to internal applications without a vpn.

METHOD

PATH

DESCRIPTION

POST

/v1/{+appConnector}:reportStatus

Report status from an app connector to the control plane

GET

/v1/{+appConnector}:resolveInstanceConfig

Resolve an app connector's instance configuration

GET

/v1/{+name}

Get an app connector or gateway by resource name

PATCH

/v1/{+name}

Update an app connector or gateway

DELETE

/v1/{+name}

Delete an app connector or gateway

GET

/v1/{+name}/locations

List BeyondCorp locations available to the project

POST

/v1/{+name}:cancel

Cancel a long-running BeyondCorp operation

POST

/v1/{+appConnector}:reportStatus

Report status from an app connector to the control plane

GET

/v1/{+appConnector}:resolveInstanceConfig

Resolve an app connector's instance configuration

GET

/v1/{+name}

Get an app connector or gateway by resource name

PATCH

/v1/{+name}

Update an app connector or gateway

DELETE

/v1/{+name}

Delete an app connector or gateway

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Service account keys with BeyondCorp scopes are encrypted in the Jentic vault. Agents call BeyondCorp through Jentic with scoped, short-lived access tokens and never see the underlying JSON key.

Intent-based discovery

Agents search Jentic with intents like 'create a BeyondCorp app connector' or 'report connector status' and Jentic returns the matching operation and input schema, avoiding the discovery document.

Time to first call

Direct integration: 2-4 days including IAM, networking, and operation-polling logic. Through Jentic: under 2 hours once the credential is registered.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Cloud Identity-Aware Proxy API

Evaluates per-request access policies for traffic flowing through BeyondCorp

Use IAP alongside BeyondCorp when the agent must also configure access policies on the protected app.

Complementary

Access Context Manager API

Defines access levels and service perimeters that pair with BeyondCorp

Pair when the agent must encode contextual access policies that BeyondCorp resources will enforce.

Complementary

Cloud Identity API

Manages users and groups whose access BeyondCorp gates

Use Cloud Identity to manage the directory whose users BeyondCorp grants access to internal apps.

FAQs

Specific to using BeyondCorp API API through Jentic.

What authentication does the BeyondCorp API use?

The API uses Google OAuth 2.0 with cloud-platform scope. Calls are authorised by IAM roles such as roles/beyondcorp.admin on the project. Through Jentic the service account credential is encrypted in the vault and only short-lived access tokens reach the agent.

Can I create an app connector through the API?

Yes. POST to /v1/{parent}/appConnectors with the connector spec. The call returns a long-running operation; poll it via GET /v1/{name} on the operation until done is true.

How do I report connector status from a deployed VM?

POST a status payload to /v1/{appConnector}:reportStatus from inside the connector VM. The endpoint accepts the connector resource name and a status object describing health and version.

What are the rate limits for the BeyondCorp API?

Numeric limits are not declared in the spec; quotas are enforced per project on beyondcorp.googleapis.com. Check the project's quota dashboard before automating large fleets of connectors.

How do I onboard a new internal app through Jentic?

Search Jentic for 'create a BeyondCorp app connector'. Jentic returns POST /v1/{parent}/appConnectors with its schema; execute it with the requested name and labels and Jentic supplies the credential from the vault. Then poll the returned operation.

Does the BeyondCorp API authenticate end users?

No. End-user authentication and per-request access decisions are handled by Identity-Aware Proxy and the broader Cloud IAM stack. This API manages the connector and gateway resources that those policies depend on.