About the API


About the API

Availability to the cloud service API is currently limited. You must have a valid cloud service API subscription and Zscaler Support must provide your key.

The cloud service API gives you programmatic access to following Zscaler Internet Access (ZIA) features:

Zscaler recommends walking through Getting Started for information regarding authentication, making API calls, and activating configuration changes. For detailed information on all available API calls, endpoints, and parameters, see the API Reference. For a table summarizing all available API calls, endpoints, and rate limits, see the API Rate Limit Summary.

You can download and export CSV-formatted admin audit log reports that include all policy changes and API calls. Audit log reports are stored for the last 6 months and you can download reports for up to 31 days or a maximum of 1000 records at a time. To learn more, see:

In order to make calls to Admin Audit Logs resources, the authenticated admin must have full Administrators Access permissions for their admin role. To learn more, see Getting Started.

A black list is a list of malicious URLs to and from which Zscaler blocks all Internet traffic. Zscaler provides a continuously updated global black list, and each organization can manage a custom black list. To retrieve or replace a black list, use the /security/advanced. endpoint. To add or remove individual URLs in a black list, use the security/advanced/blacklistUrls endpoint.

A white list is a list of URLs that Zscaler exempts from security scanning. Zscaler does not provide a global white list, but each organization can manage a custom white list. A local white list can contain up to 255 URLs. To retrieve or replace a white list, use the /security endpoint. However, you cannot add or remove individual URLs in a white list using the API.

You can add up to 25,000 custom URLs and IPs across all categories (custom and predefined) for your organization's custom black list and white list. To learn more, see:

In order to make calls to Security Policy Settings resources, the authenticated admin must have Security functional scope access and full Policy Access permissions for their admin role. To learn more, see Getting Started.

The Zscaler service conducts SSL negotiations with a user's browser using either the Zscaler intermediate certificate or your organization's custom intermediate root certificate. Using the API, you can:

  1. Generate a Certificate Signing Request (CSR).
  2. Download a CSR.
  3. Retrieve intermediate root certificate information.
  4. Upload an intermediate root certificate and intermediate certificate chain.
  5. Delete an intermediate certificate chain.


To learn more, see:

In order to make calls to SSL Inspection Settings resources, the authenticated admin must have SSL Policy functional scope access for their admin role. To learn more, see Getting Started.

Predefined and custom URL categories provide a way to classify URLs for your organization. Using the API, you can:

  • Add or remove a URL for a predefined URL category.
  • Get information about predefined and custom categories.
  • Delete a custom category.
  • Look up the categorization of a specified URLs.
  • Update custom categories with IP addresses and URLs.
  • Update or add a URL to a custom category.


To learn more, see:

In order to make calls to URL Categories resources, the authenticated admin must have Access Control (Web and Mobile) functional scope access and full Policy Access permissions for their admin role. To learn more, see Getting Started.

Using the API you can retrieve user, group, and department information as well as add, update, and delete users. To learn more, see:

In order to make calls to User Management resources, the authenticated admin must have Authentication Configuration > User Management functional scope access for their admin role. To learn more, see Getting Started.

    The Zscaler service inspects internal traffic within an organization's corporate network using Zscaler Enforcement Nodes (ZENs) or secure web gateways. Traffic forwarding is enabled through IPSec VPN tunneling, and requires that the proper user credentials are configured. To retrieve VPN credential information for locations, use the /vpnCredentials endpoint. To retrieve and update individual VPN credentials for a VPN ID, use the /vpnCredentials/{vpnId} endpoint.

    User passwords can be randomly regenerated at regular intervals (e.g., every 30 days).

    To learn more, see:

    In order to make calls to VPN Credentials resources, the authenticated admin must have Traffic Forwarding > VPN Credentials functional scope access for their admin role. To learn more, see Getting Started.

    The API resources used to support this functionality are for SD-WAN partner use only.

    A Software-Defined Wide Area Networking (SD-WAN) partner API key enables technology partner access to the Locations resources and a VPN Credentials resource within the cloud service API. For details and SD-WAN deployment configuration guides for each partner, see the SD-WAN partner site or contact Zscaler Business Development.

    To learn more, see:

    In order to make calls to Locations and VPN Credentials resources, the authenticated partner admin, must have SD-WAN Partner Access for their partner admin role as well as a partner API key. To learn more, see SD-WAN API Integration for IPSec VPN Tunnels and  Getting Started.

    Sandbox Report API resources allow you to get a full or summary Sandbox Detail Report for any file that was sent for analysis from any organization on the Zscaler cloud.

    To learn more, see:

    In order to make calls to Sandbox Report resources, the authenticated admin must have Security > Sandbox functional scope access for their admin role. To learn more, see Getting Started.