About One-Time Tokens or Links

About One-Time Tokens or Links

This article provides background information on one-time tokens or links. For instructions on configuring a one-time token or one-time link, see How do I configure a One-Time Token or One-Time Link?

You can configure the service to email users a link or temporary password that they can use to log in to the Zscaler service once. This is useful when creating new users or resetting forgotten passwords. The service allows a user to request a new temporary password only once every 24 hours. Both the unique link and unique password are valid for 24 hours.

The Zscaler Central Authority (CA) authenticates users according to the method configured for the organization. When a one-time token is used for authentication, after a user enters the temporary password and successfully logs in to the service, the user is required to enter a new password. The CA stores this password and sets the gateway cookie. 

This feature can be used when users are hosted by the service or synchronized from a directory server, as long as the service has the user’s valid email addresses.  When you enable authentication through a one-time token for users synchronized from a directory server, the passwords are stored on the Zscaler database and not on the directory server. Therefore when users log in to the service and try to authenticate, the service will match their password with the one in its database, not the password in the directory server.


When adding a new user in the User Management page of the admin portal, the email address entered in the Temporary Authentication Email field is the address to which the service sends the email with the link or password. This email address does not have to belong to the organization's domain. Note that if this field is empty, then the User ID will be used instead. When used with users synchronized from a directory server, use the email addresses that were synchronized from the directory server.