About Pre-Provisioned Cookies

About Pre-Provisioned Cookies

This article provides background information on using pre-provisioned cookies. For instructions on downloading and deploying pre-provisioned cookies, see How do I download and deploy pre-provisioned cookies?

To automate the user authentication process, you can securely download pre-generated Zscaler gateway cookies over HTTPS through the use of a RESTful (Representational State Transfer) API (Application Programming Interface). This API tool enables transparent authentication via pre-provisioned cookies, so users are not required to authenticate to the service. It also simplifies deployment of the Zscaler service across large numbers of end user devices. Note that only super admins can access the API.

The API for requesting pre-provisioned cookies is set up to provide a granular set of queries for batched user selection based on a variety of attributes (including group, department and time).

API Parameters

The API takes into account different parameters as shown in the following table.

Query Parameter Expected Value Errors Description


User’s login name

User does not exist.

User login name not in the form of email address.

Download a cookie for the specified user. Default value is ‘all’.


Group Name

Group does not exist.

Download cookies for all users belonging to the specified group. Default value is ‘all’.


Department Name

Department does not exist.

Download cookies for all users belonging to the specified department. Default value is ‘all’.


Time in 


Invalid time

Filter users by since when they were added. Default value is ‘since beginning’.


Time in


Invalid time

Provision users with start and end time. Default value is ‘now’.


Time zone in zoneinfo format

Invalid time zone

Time zone to express the above time. Default value is GMT/UTC.

API Parameter Guidelines

Following are some guidelines for using the API parameters:

  • Wildcard matches are not allowed.
  • User login name/group/department must be matched exactly.
  • Name matching is case-insensitive.
  • Special characters and spaces must be URL encoded.
  • Multiple parameters are allowed (example below).
  • If there are multiple parameters, the result will be a logical ‘AND’ operation of all the parameters.

For example, group=WEB_USERS & department=Sales means all the users belonging to both WEB_USERS group and Sales department.

API Error Codes

Some of the common API error codes are:

  • 401 Authentication Required: This error code states that your authentication credentials are not present or are invalid.
  • 404 Not Found: This error code states that a username or group name or department name is not present.
  • 400 Bad Request: This error states that the request has some other error (invalid time, and so on).

The reason why any error took place will be available in the HTTP Response for troubleshooting purposes.