Zscaler Internet Access (ZIA) provides three APIs: the cloud service API, Sandbox Submission API, and 3rd-Party App Governance API. To learn more about authentication, making API calls, and activating configuration changes, see Getting Started. For detailed information on all available API calls, endpoints, and parameters, see the Reference Guide. For a table summarizing all available API calls, endpoints, and rate limits, see the API Rate Limit Summary. To try out requests and responses for API calls using the Postman app, see Configuring the Postman REST API Client.

Cloud Service API

Availability of the cloud service API is limited. To enable this API for your organization, contact Zscaler Support.

The cloud service API gives you programmatic access to the following ZIA features:

• Activation

  To make the configuration changes take effect, you must activate the changes. Activation API resources allow you to activate your configuration changes by pushing them to the Central Authority (CA).

  To learn more, see:

  • Reference Guide > Activation
  • Getting Started
  • Saving and Activating Changes in the ZIA Admin Portal

  Close
• Admin Audit Logs

  You can download and export CSV-formatted admin audit log reports that include all policy changes and API calls. Audit log reports are stored for the last 6 months, and you can download reports for up to 31 days or a maximum of 1,000 records at a time.

  To learn more, see:

  • Reference Guide > Admin Audit Logs

  Access to Admin Audit Logs resources requires full Administrators Access permissions for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • Admin Audit Logs Use Cases
  • About Audit Logs

  Close
• Admin & Role Management

  Admin & Role Management API resources allow you to retrieve admin role information, which dictates the level of access that admins have in the ZIA Admin Portal. These resources also allow you to add, update, or delete admins within your organization. You can also retrieve information about the current administrator or auditor user accessing the API.

  To learn more, see:

  • Reference Guide > Admin & Role Management

  Access to Admin & Role Management resources requires full Administrators Access permissions for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • About Role Management
  • About Administrators

  Close
• Advanced Settings

  These API resources allow you to update the advanced cloud configuration settings in the ZIA Admin Portal and retrieve information about the settings.

  To learn more, see:

  • Reference Guide > Advanced Settings
  • Configuring Advanced Settings

  Close
• Advanced Threat Protection Policy

  These API resources allow you to update the Advanced Threat Protection policy and retrieve information about the policy configurations.

  To learn more, see:

  • Reference Guide > Advanced Threat Protection Policy
  • Configuring the Advanced Threat Protection Policy

  Close
• API Authentication

  Authentication API resources allow you to authenticate and create an API session, check for an existing API session, and delete an API session.

  To learn more, see:

  • Reference Guide > API Authentication
  • Getting Started

  Close
• Authentication Settings

  Authentication Settings API resources allow you to retrieve or update your organization's default authentication settings information.

  To learn more, see:

  • Reference Guide > Authentication Settings
  • About Authentication Default Settings

  Close
• Browser Isolation

  You can retrieve information about Isolation profiles.

  To learn more, see:

  • Reference Guide > Browser Isolation
  • What Is Isolation?
  • Creating Isolation Profiles for ZIA

  Close
• Cloud Applications

  Cloud Applications API resources allow you to retrieve a list of cloud applications associated with Advanced Settings, Bandwidth Classes, DLP rules, Cloud App Control rules, File Type Control rules, and SSL Inspection rules.

  To learn more, see:

  • Reference Guide > Cloud Applications
  • About Cloud Applications

  Close
• Cloud App Control Policy

  You can retrieve information about Cloud App Control policy rules.

  To learn more, see:

  • Reference Guide > Cloud App Control Policy
  • About Cloud App Control

  Close
• Cloud Nanolog Streaming Service (NSS)

  Cloud Nanolog Streaming Service (NSS) API resources allow you to add, update, validate, and delete cloud NSS feeds, retrieve information about the feeds, test connectivity, and get feed output format.

  To learn more, see:

  • Reference Guide > Cloud Nanolog Streaming Service (NSS)
  • Adding Cloud NSS Feeds

  Close
• Data Loss Prevention (DLP)

  Data Loss Prevention (DLP) API resources allow you to retrieve information for DLP dictionaries, engines, incident receivers, Internet Content Adaptation Protocol (ICAP) servers, etc. In addition, you can create and update DLP predefined dictionaries, Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries, notifications, and policy rules. You can also create and delete custom DLP engines, update predefined and custom DLP engines, and validate DLP engine expressions formed by combining DLP dictionaries using logical operators.

  To learn more, see:

  • Reference Guide > Data Loss Prevention (DLP)
  • About Data Loss Prevention (DLP)
  • About DLP Dictionaries
  • About DLP Notification Templates
  • About Exact Data Match
  • About Indexed Document Match
  • About DLP Engines
  • Understanding DLP Engines

  Close
• Device Groups

  Device Groups API resources allow you to retrieve device group information. ZIA maintains a list of all the devices in your organization that have Zscaler Client Connector deployed on them. These devices are categorized under predefined groups based on their OS type.

  To learn more, see:

  • Reference Guide > Device Groups
  • About Device Groups

  Close
• DNS Control Policy

  DNS Control Policy API resources allow you to create, read, update, and delete DNS filtering rules and their criteria.

  To learn more, see:

  • Reference Guide > DNS Control Policy
  • Configuring the DNS Control Policy

  Close
• End User Notifications

  End User Notifications API resources allow you to update browser-based end user notification (EUN) configuration and also retrieve the configuration details.

  To learn more, see:

  • Reference Guide > End User Notifications
  • Understanding Browser-Based End User Notifications

  Close
• Event Logs

  You can generate and download CSV-formatted event log reports that include provisioning and user and group management activities performed by System for Cross-domain Identity Management (SCIM) clients. The SCIM client's activities are recorded only if the SCIM-based provisioning is enabled for users on the Zscaler service.

  To learn more, see:

  • Reference Guide > Event Logs

  Access to Event Logs resources requires full Administrators Access permissions for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • About Event Logs
  • About SCIM

  Close
• File Type Control Policy

  File Type Control Policy API resources allow you to create, update, retrieve, and delete File Type Control policy rules and their criteria.

  To learn more, see:

  • Reference Guide > File Type Control Policy
  • Configuring the File Type Control Policy
  • About File Type Control

  Close
• Firewall Policies

  Firewall Policies API resources allow you to create, read, update, and delete Firewall Filtering policy rules and their criteria.

  To learn more, see:

  • Reference Guide > Firewall Policies
  • Configuring Firewall Policies

  Close
• Forwarding Control Policy

  Forwarding Control Policy API resources allow you to create, modify, retrieve, and delete forwarding rules. Additionally, these resources allow you to create, modify, retrieve, and delete Zscaler Private Access (ZPA) gateways that are used in forwarding rules for ZPA. You can also retrieve information about all proxy gateways using the Forwarding Control Policy API resources.

  To learn more, see:

  • Reference Guide > Forwarding Control Policy
  • About Forwarding Control
  • Configuring Forwarding Policy
  • About Zscaler Private Access (ZPA) Gateway
  • Configuring ZPA Gateway
  • About Gateways for Proxies
  • Configuring Gateways for Proxies

  Close
• Intermediate CA Certificates

  The Zscaler service performs SSL inspection by acting as a full SSL proxy or a trusted man-in-the-middle (MITM) proxy. To perform SSL inspection, Zscaler needs to generate domain certificates (end-entity certificates) dynamically using a Certificate Authority (CA) issued by either Zscaler or your organization. Using Intermediate CA Certificates API resources, you can:

  • Create a custom intermediate CA certificate.
  • Generate a key pair.
  • Generate and download a Certificate Signing Request (CSR).
  • Upload a signed intermediate CA certificate and certificate chain.
  • Finalize a certificate.
  • Mark a certificate as default.

  To learn more, see:

  • Reference Guide > Intermediate CA Certificates

  Access to Intermediate CA Certificates resources requires SSL Policy functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • Intermediate CA Certificates Use Cases
  • SSL Inspection

  Close
• IoT Report

  The IoT report API allows you to retrieve a list of devices (unmanaged user devices, servers, and IoT devices) that are identified by the Zscaler AI/ML engine from unauthenticated web traffic. You can also obtain the key contexts about the discovered devices, such as locations, ML auto-labels, classifications, etc.

  To learn more, see Reference Guide > IoT Report.

  Close
• IPS Control Policy

  IPS Control Policy API resources allow you to create, read, update, and delete DNS filtering rules and their criteria.

  To learn more, see:

  • Reference Guide > IPS Control Policy
  • Configuring the IPS Control Policy

  Close
• Location Management and Traffic Forwarding

  Location Management API resources allow you to retrieve all attributes of a Zscaler service-defined location or sublocation as a request, add or update locations with VPN credentials or static IP addresses, add or update sublocations, and delete locations and sublocations. You can also retrieve an up-to-date list of countries that are used in location configuration.

  To learn more, see:

  • Reference Guide > Location Management

  Access to Location Management resources requires Traffic Forwarding > Locations & VPN Credentials functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • Location Management Use Cases
  • About Locations
  • Understanding Sub-Locations
  • About VPN Credentials

  Getting and Updating VPN Credentials for Specific Locations

  The Zscaler service also inspects internal traffic within an organization's corporate network using ZIA Public Service Edges or secure web gateways. Traffic forwarding is enabled through IPSec VPN tunneling, and requires that the proper user credentials are configured. Using Location Management endpoints, you can get and update VPN credentials for specific locations.

  To retrieve VPN credential information for locations, use the /vpnCredentials endpoint. To retrieve and update individual VPN credentials for a VPN ID, use the /vpnCredentials/{vpnId} endpoint.

  User passwords can be randomly regenerated at regular intervals (e.g., every 30 days).

  To learn more, see:

  • Reference Guide > Traffic Forwarding

  Access to VPN Credentials resources requires Traffic Forwarding > VPN Credentials functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • VPN Credentials Use Cases
  • About VPN Credentials
  • Configuring an IPSec VPN Tunnel

  Managing IPSec VPN Tunnels for SD-WAN Partner Integrations

  The API resources used to support this functionality are for SD-WAN partner use only.

  A Software-Defined Wide Area Networking (SD-WAN) partner API key enables technology partner access to the Location Management resources and a VPN Credentials resource within the cloud service API. For details and SD-WAN deployment configuration guides for each partner, refer to the SD-WAN partner site or contact Zscaler Business Development.

  To learn more, see:

  • Reference Guide > Location Management
  • Reference Guide > Traffic Forwarding for information on the POST /vpnCredentials resource

  To make calls to Locations and VPN Credentials resources, the authenticated SD-WAN partner API client must have SD-WAN Partner Access for their SD-WAN partner API role as well as a partner API key. To learn more, see SD-WAN API Integration for IPSec VPN Tunnel Provisioning and Getting Started.

  • SD-WAN API Integration for IPSec VPN Tunnel Provisioning
  • About Locations
  • About VPN Credentials
  • Configuring an IPSec VPN Tunnel

  Getting GRE Tunnel, Static IP Address, Virtual IP Address, and Region Information

  ZIA enables you to self-provision your static IP addresses or GRE tunnels to connect to the Zscaler service. Virtual IP addresses (VIPs) are used to establish IPSec VPN tunnels. The Traffic Forwarding API resources allow you to retrieve self-service GRE tunnel, static IP provisioning, data center VIP, and region-specific information.

  To learn more, see:

  • Reference Guide > Traffic Forwarding
  • About Generic Routing Encapsulation
  • About Static IP
  • SD-WAN API Integration for IPSec VPN Tunnel Provisioning

  Configuring and Managing Extranet Resources

  You can configure and manage extranets that enable an organization to connect its internal network with another organization's network (e.g., partners, third-party vendors, etc.) that does not use a Zscaler service through Extranet Application Support. Extranet Application Support enables Zscaler-managed organization users to securely access extranet resources through an IPSec VPN tunnel established between a Zscaler data center and the external organization's data center, without requiring additional hardware or software installations. Using these resources, you can add, modify, and delete extranets and retrieve the list of extranets configured for your organization.

  To learn more, see:

  • Reference Guide > Traffic Forwarding

    Access to Extranet API resources requires Locations and VPN Credentials functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • Understanding Extranet Application Support
  • About Extranet
  • Configuring an Extranet

  Close
• Malware Protection Policy

  These API resources allow you to update the Malware Protection policy and retrieve information about the policy configurations.

  To learn more, see:

  • Reference Guide > Malware Protection Policy
  • Configuring the Malware Protection Policy

  Close
• Organization Details

  Organization Details API resources allow you to retrieve your organization's information, including headquarter location, geolocation, address, and contact details. It also allows you to retrieve your subscriptions to the Zscaler service.

  To learn more, see:

  • Reference Guide > Organization Details
  • About the Company Profile
  • Viewing Subscriptions

  Close
• PAC Files

  PAC Files API resources allow you to add and manage proxy auto-configuration (PAC) files in the ZIA Admin Portal. PAC files are one of the traffic forwarding methods supported by Zscaler and they allow you to forward your users' web traffic to the Zscaler service. All major browsers support PAC files and browsers simply require the address of the PAC file (i.e., PAC file URL) so they can fetch the file from the specified address, execute the file contents, and forward the web traffic to Zscaler's proxy server specified in the file. PAC files can be hosted on a workstation, an internal web server, or a server outside the corporate network. The Zscaler service hosts a default PAC file that uses geolocation technology to forward traffic to the nearest ZIA Public Service Edge. You can also upload custom PAC files to the Zscaler service.

  Using these API resources, you can retrieve the list of hosted PAC files, add custom PAC files, validate the PAC file content and check for errors, branch an existing PAC file to create a new version, retrieve all or specific versions of a PAC file, and delete a PAC file.

  To learn more, see:

  • Reference Guide > PAC Files
  • About Hosted PAC Files
  • Using Custom PAC Files to Forward Traffic to ZIA
  • Writing a PAC File

  Close
• Policy Export

  Policy Export API resources allow you to export the rules configured for various policy types to JSON files.

  Access to Policy Export resources requires Policy Access (View Only) permission for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  To learn more, see Reference Guide > Policy Export.

  Close
• Remote Assistance Support

  These API resources allow you to update Remote Assistance preferences and retrieve information about the preferences.

  To learn more, see:

  • Reference Guide > Remote Assistance Support
  • Enabling Remote Assistance

  Close
• Rule Labels

  Rule Labels API resources allow you to create labels and associate them with URL Filtering policy rules.

  To learn more, see:

  • Reference Guide > Rule Labels
  • About Rule Labels
  • About URL Filtering

  Close
• Sandbox Policy & Settings

  Sandbox Policy & Settings API resources allow you to create, read, update, and delete Sandbox policy rules via the /sandboxRules endpoints. In addition, these resources allow each organization to create and manage a custom blocklist of MD5 file hashes for files that go through behavioral analysis by Sandbox. To retrieve or replace the custom blocklist, use the /behavioralAnalysisAdvancedSettings endpoint. To retrieve quota availability information for the MD5 file hashes, use the /behavioralAnalysisAdvancedSettings/fileHashCount endpoint.

  You can add up to 10K MD5 file hashes to your custom blocklist.

  To learn more, see:

  • Reference Guide > Sandbox Policy & Settings

  Access to Sandbox Settings resources requires Security functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • About Sandbox
  • Configuring the Sandbox Policy
  • Add Custom File Hashes

  Close
• Sandbox Report

  Sandbox Report API resources allow you to get a full or summary Sandbox Detail Report for any file that was sent for analysis from any organization on the Zscaler cloud.

  To learn more, see:

  • Reference Guide > Sandbox Report

  Access to Sandbox Report resources requires Security functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • Sandbox Report Use Cases
  • About Sandbox
  • Viewing Sandbox Reports and Data

  Close
• Security Policy Settings

  A denylist is a list of malicious URLs to and from which Zscaler blocks all internet traffic. Zscaler provides a continuously updated global denylist, and each organization can manage a custom denylist. To retrieve or replace a denylist, use the /security/advanced endpoint. To add or remove individual URLs in a denylist, use the security/advanced/blacklistUrls endpoint.

  An allowlist is a list of URLs that Zscaler exempts from security scanning. Zscaler does not provide a global allowlist, but each organization can manage a custom allowlist. A local allowlist can contain up to 255 URLs. To retrieve or replace an allowlist, use the /security endpoint. However, you cannot add or remove individual URLs to an allowlist using the API.

  For your organization's custom denylist and allowlist, you can add up to 25K custom URLs and IPs across all categories (custom and predefined).

  To learn more, see:

  • Reference Guide > Security Policy Settings

  Access to Security Policy Settings resources requires the following permissions and scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key):

  • API Role > Full Policy Access permissions and Security functional scope
  • Admin Role > Full Policy Access permissions and Security functional scope

  To learn more, see Getting Started.

  • Security Policy Settings Use Cases
  • About Policy Enforcement
  • Adding URLs to the Denylist
  • Adding URLs to the Allowlist

  Close
• Shadow IT Report

  You can export the Shadow IT Report for the cloud applications that Zscaler recognizes based on their usage in your organization. These reports include various security parameters of the cloud applications, information about users who have interacted with the applications, the list of locations from where the applications are accessed, and application usage details, as applicable.

  To learn more, see:

  • Reference Guide > Shadow IT Report

  Access to Shadow IT Report resources requires Access Control (Web and Mobile) > Policy and Resource Management functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • About Shadow IT Report
  • About Application Information

  Close
• SSL Inspection Policy

  SSL Inspection Policy API resources allow you to create, update, retrieve, and delete SSL Inspection policy rules and their criteria.

  To learn more, see:

  • Reference Guide > SSL Inspection Policy
  • Configuring SSL Inspection Policy
  • About SSL Inspection Policy

  Close
• URL Categories

  Predefined and custom URL categories provide a way to classify URLs for your organization. Using URL Categories API resources, you can:

  • Add or remove a URL for a predefined URL category.
  • Get information about predefined and custom categories.
  • Look up the categorization of specified URLs.
  • Add, update, and delete custom categories.
  • Update custom categories with IP addresses and URLs.
  • Find matching entries for URLs in existing custom URL categories and add related entries to a single category.

  To learn more, see:

  • Reference Guide > URL Categories

  Access to URL Categories resources requires the following permissions and scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key):

  • API Role > Full Policy Access permissions and Access Control (Web and Mobile) functional scope
  • Admin Role > Full Policy Access permissions and Access Control (Web and Mobile) functional scope

  To learn more, see Getting Started.

  • URL Categories Use Cases
  • About URL Categories

  Close
• URL Filtering Policy

  URL Filtering Policy API resources allow you to retrieve information about and manage rules that limit your exposure to liability by managing access to web content based on a site's URL categorization.

  To learn more, see:

  • Reference Guide > URL Filtering Policy
  • About URL Filtering

  Close
• URL & Cloud App Control Policy Settings

  These API resources allow you to update the advanced settings available for URL Filtering and Cloud App Control policies and retrieve information about the advanced settings.

  To learn more, see:

  • Reference Guide > URL & Cloud App Control Policy Settings
  • Configuring Advanced Policy Settings

  Close
• User Authentication Settings

  User Authentication Settings API resources allow you to exempt URLs from cookie authentication.

  To learn more, see:

  • Reference Guide > User Authentication Settings
  • About Zscaler Cookies

  Close
• User Management

  Using User Management API resources, you can retrieve user, group, and department information as well as add, update, and delete users.

  To learn more, see:

  • Reference Guide > User Management

  Access to User Management resources requires Authentication Configuration > User Management functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • User Management Use Cases
  • About Authentication Profile
  • Authenticating and Managing Users

  Close
• Workload Groups

  Workload Groups API resources allow you to retrieve information about the workload groups configured in the ZIA Admin Portal. The workload groups can be configured as criteria in security policies such as Data Loss Prevention, URL Filtering, SSL Inspection, and Firewall Filtering rules.

  To learn more, see:

  • Reference Guide > Workload Groups

    Access to Workload Group resources requires View Only Policy Access permission for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.

  • About Workload Groups
  • Configuring Workload Groups

  Close

Sandbox Submission API

To obtain access to the Sandbox Submission API, contact your Zscaler Account team.

The Sandbox Submission API gives you programmatic access to Zscaler Sandbox, which allows you to submit files to perform behavioral analysis. By default, files are directly submitted to the Sandbox to obtain a verdict. If a verdict already exists for the file, you can optionally force the Sandbox to reanalyze the file. You can submit up to 100 raw and archive files (e.g., ZIP) per day for Sandbox analysis. To learn more about the file types supported, see About Sandbox.

The Sandbox Submission API also allows you to perform out-of-band file inspection to generate real-time verdicts. Zscaler leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously. You can submit raw and archive files (e.g., ZIP), and each file is limited to a maximum size of 400 MB. All file types that are supported by the Malware Protection policy and Advanced Threat Protection policy are supported.

Dynamic file analysis is not included in out-of-band file inspection.

• Reference Guide > Sandbox Submission
• Configuring the Sandbox Policy
• Configuring the Default Sandbox Rule

3rd-Party App Governance API

To access the 3rd-Party App Governance API, you must have an 3rd-Party App Governance trial or license. To obtain a trial or license, contact your Zscaler Account team.

The 3rd-Party App Governance API gives you programmatic access to Zscaler 3rd-Party App Governance, which allows you to search the 3rd-Party App Governance Catalog for an application by name, app ID, or a valid URL (i.e., consent or marketplace link). If the application is not found in the catalog, it is automatically submitted to the 3rd-Party App Governance Sandbox for analysis. After analysis is complete, you can perform a subsequent search for the application and retrieve its information.

The 3rd-Party App Governance API also allows you to retrieve the list of custom views that you have configured in the 3rd-Party App Governance Admin Portal and includes all configurations that define the custom view. You can then retrieve all applications that are related to a specified custom view.

To learn more, see Reference Guide > 3rd-Party App Governance.