Understanding ZIA APIs
Zscaler Internet Access (ZIA) provides three APIs: the cloud service API, Sandbox Submission API, and 3rd-Party App Governance API. To learn more about authentication, making API calls, and activating configuration changes, see Getting Started. For detailed information on all available API calls, endpoints, and parameters, see the Reference Guide. For a table summarizing all available API calls, endpoints, and rate limits, see the API Rate Limit Summary. To try out requests and responses for API calls using the Postman app, see Configuring the Postman REST API Client.
Cloud Service API
Availability of the cloud service API is limited. To enable this API for your organization, contact Zscaler Support.
The cloud service API gives you programmatic access to the following ZIA features:
- Activation
To make the configuration changes take effect, you must activate the changes. Activation API resources allow you to activate your configuration changes by pushing them to the Central Authority (CA).
To learn more, see:
Close - Admin Audit Logs
You can download and export CSV-formatted admin audit log reports that include all policy changes and API calls. Audit log reports are stored for the last 6 months, and you can download reports for up to 31 days or a maximum of 1,000 records at a time.
To learn more, see:
Access to Admin Audit Logs resources requires full Administrators Access permissions for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - Admin & Role Management
Admin & Role Management API resources allow you to retrieve admin role information, which dictates the level of access that admins have in the ZIA Admin Portal. These resources also allow you to add, update, or delete admins within your organization. You can also retrieve information about the current administrator or auditor user accessing the API.
To learn more, see:
Access to Admin & Role Management resources requires full Administrators Access permissions for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - Advanced Settings
These API resources allow you to update the advanced cloud configuration settings in the ZIA Admin Portal and retrieve information about the settings.
To learn more, see:
Close - Advanced Threat Protection Policy
These API resources allow you to update the Advanced Threat Protection policy and retrieve information about the policy configurations.
To learn more, see:
- Reference Guide > Advanced Threat Protection Policy
- Configuring the Advanced Threat Protection Policy
- API Authentication
Authentication API resources allow you to authenticate and create an API session, check for an existing API session, and delete an API session.
To learn more, see:
Close - Authentication Settings
Authentication Settings API resources allow you to retrieve or update your organization's default authentication settings information.
To learn more, see:
Close - Browser Isolation
- Cloud Applications
Cloud Applications API resources allow you to retrieve a list of cloud applications associated with Advanced Settings, Bandwidth Classes, DLP rules, Cloud App Control rules, File Type Control rules, and SSL Inspection rules.
To learn more, see:
Close - Cloud App Control Policy
- Cloud Nanolog Streaming Service (NSS)
Cloud Nanolog Streaming Service (NSS) API resources allow you to add, update, validate, and delete cloud NSS feeds, retrieve information about the feeds, test connectivity, and get feed output format.
To learn more, see:
Close - Data Loss Prevention (DLP)
Data Loss Prevention (DLP) API resources allow you to retrieve information for DLP dictionaries, engines, incident receivers, Internet Content Adaptation Protocol (ICAP) servers, etc. In addition, you can create and update DLP predefined dictionaries, Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries, notifications, and policy rules. You can also create and delete custom DLP engines, update predefined and custom DLP engines, and validate DLP engine expressions formed by combining DLP dictionaries using logical operators.
To learn more, see:
- Reference Guide > Data Loss Prevention (DLP)
- About Data Loss Prevention (DLP)
- About DLP Dictionaries
- About DLP Notification Templates
- About Exact Data Match
- About Indexed Document Match
- About DLP Engines
- Understanding DLP Engines
- Device Groups
Device Groups API resources allow you to retrieve device group information. ZIA maintains a list of all the devices in your organization that have Zscaler Client Connector deployed on them. These devices are categorized under predefined groups based on their OS type.
To learn more, see:
Close - DNS Control Policy
DNS Control Policy API resources allow you to create, read, update, and delete DNS filtering rules and their criteria.
To learn more, see:
Close - End User Notifications
End User Notifications API resources allow you to update browser-based end user notification (EUN) configuration and also retrieve the configuration details.
To learn more, see:
Close - Event Logs
You can generate and download CSV-formatted event log reports that include provisioning and user and group management activities performed by System for Cross-domain Identity Management (SCIM) clients. The SCIM client's activities are recorded only if the SCIM-based provisioning is enabled for users on the Zscaler service.
To learn more, see:
Access to Event Logs resources requires full Administrators Access permissions for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - File Type Control Policy
File Type Control Policy API resources allow you to create, update, retrieve, and delete File Type Control policy rules and their criteria.
To learn more, see:
- Reference Guide > File Type Control Policy
- Configuring the File Type Control Policy
- About File Type Control
- Firewall Policies
Firewall Policies API resources allow you to create, read, update, and delete Firewall Filtering policy rules and their criteria.
To learn more, see:
Close - Forwarding Control Policy
Forwarding Control Policy API resources allow you to create, modify, retrieve, and delete forwarding rules. Additionally, these resources allow you to create, modify, retrieve, and delete Zscaler Private Access (ZPA) gateways that are used in forwarding rules for ZPA. You can also retrieve information about all proxy gateways using the Forwarding Control Policy API resources.
To learn more, see:
- Reference Guide > Forwarding Control Policy
- About Forwarding Control
- Configuring Forwarding Policy
- About Zscaler Private Access (ZPA) Gateway
- Configuring ZPA Gateway
- About Gateways for Proxies
- Configuring Gateways for Proxies
- Intermediate CA Certificates
The Zscaler service performs SSL inspection by acting as a full SSL proxy or a trusted man-in-the-middle (MITM) proxy. To perform SSL inspection, Zscaler needs to generate domain certificates (end-entity certificates) dynamically using a Certificate Authority (CA) issued by either Zscaler or your organization. Using Intermediate CA Certificates API resources, you can:
- Create a custom intermediate CA certificate.
- Generate a key pair.
- Generate and download a Certificate Signing Request (CSR).
- Upload a signed intermediate CA certificate and certificate chain.
- Finalize a certificate.
- Mark a certificate as default.
To learn more, see:
Access to Intermediate CA Certificates resources requires SSL Policy functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - IoT Report
The IoT report API allows you to retrieve a list of devices (unmanaged user devices, servers, and IoT devices) that are identified by the Zscaler AI/ML engine from unauthenticated web traffic. You can also obtain the key contexts about the discovered devices, such as locations, ML auto-labels, classifications, etc.
To learn more, see Reference Guide > IoT Report.
Close - IPS Control Policy
IPS Control Policy API resources allow you to create, read, update, and delete DNS filtering rules and their criteria.
To learn more, see:
Close - Location Management and Traffic Forwarding
Location Management API resources allow you to retrieve all attributes of a Zscaler service-defined location or sublocation as a request, add or update locations with VPN credentials or static IP addresses, add or update sublocations, and delete locations and sublocations. You can also retrieve an up-to-date list of countries that are used in location configuration.
To learn more, see:
Access to Location Management resources requires Traffic Forwarding > Locations & VPN Credentials functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Getting and Updating VPN Credentials for Specific Locations
The Zscaler service also inspects internal traffic within an organization's corporate network using ZIA Public Service Edges or secure web gateways. Traffic forwarding is enabled through IPSec VPN tunneling, and requires that the proper user credentials are configured. Using Location Management endpoints, you can get and update VPN credentials for specific locations.
To retrieve VPN credential information for locations, use the
/vpnCredentials
endpoint. To retrieve and update individual VPN credentials for a VPN ID, use the/vpnCredentials/{vpnId}
endpoint.User passwords can be randomly regenerated at regular intervals (e.g., every 30 days).
To learn more, see:
Access to VPN Credentials resources requires Traffic Forwarding > VPN Credentials functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Managing IPSec VPN Tunnels for SD-WAN Partner Integrations
The API resources used to support this functionality are for SD-WAN partner use only.
A Software-Defined Wide Area Networking (SD-WAN) partner API key enables technology partner access to the Location Management resources and a VPN Credentials resource within the cloud service API. For details and SD-WAN deployment configuration guides for each partner, refer to the SD-WAN partner site or contact Zscaler Business Development.
To learn more, see:
- Reference Guide > Location Management
- Reference Guide > Traffic Forwarding for information on the
POST /vpnCredentials
resource
To make calls to Locations and VPN Credentials resources, the authenticated SD-WAN partner API client must have SD-WAN Partner Access for their SD-WAN partner API role as well as a partner API key. To learn more, see SD-WAN API Integration for IPSec VPN Tunnel Provisioning and Getting Started.
- SD-WAN API Integration for IPSec VPN Tunnel Provisioning
- About Locations
- About VPN Credentials
- Configuring an IPSec VPN Tunnel
Getting GRE Tunnel, Static IP Address, Virtual IP Address, and Region Information
ZIA enables you to self-provision your static IP addresses or GRE tunnels to connect to the Zscaler service. Virtual IP addresses (VIPs) are used to establish IPSec VPN tunnels. The Traffic Forwarding API resources allow you to retrieve self-service GRE tunnel, static IP provisioning, data center VIP, and region-specific information.
To learn more, see:
- Reference Guide > Traffic Forwarding
- About Generic Routing Encapsulation
- About Static IP
- SD-WAN API Integration for IPSec VPN Tunnel Provisioning
Configuring and Managing Extranet Resources
You can configure and manage extranets that enable an organization to connect its internal network with another organization's network (e.g., partners, third-party vendors, etc.) that does not use a Zscaler service through Extranet Application Support. Extranet Application Support enables Zscaler-managed organization users to securely access extranet resources through an IPSec VPN tunnel established between a Zscaler data center and the external organization's data center, without requiring additional hardware or software installations. Using these resources, you can add, modify, and delete extranets and retrieve the list of extranets configured for your organization.
To learn more, see:
Reference Guide > Traffic Forwarding
Access to Extranet API resources requires Locations and VPN Credentials functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
- Understanding Extranet Application Support
- About Extranet
- Configuring an Extranet
- Malware Protection Policy
These API resources allow you to update the Malware Protection policy and retrieve information about the policy configurations.
To learn more, see:
Close - Organization Details
Organization Details API resources allow you to retrieve your organization's information, including headquarter location, geolocation, address, and contact details. It also allows you to retrieve your subscriptions to the Zscaler service.
To learn more, see:
Close - PAC Files
PAC Files API resources allow you to add and manage proxy auto-configuration (PAC) files in the ZIA Admin Portal. PAC files are one of the traffic forwarding methods supported by Zscaler and they allow you to forward your users' web traffic to the Zscaler service. All major browsers support PAC files and browsers simply require the address of the PAC file (i.e., PAC file URL) so they can fetch the file from the specified address, execute the file contents, and forward the web traffic to Zscaler's proxy server specified in the file. PAC files can be hosted on a workstation, an internal web server, or a server outside the corporate network. The Zscaler service hosts a default PAC file that uses geolocation technology to forward traffic to the nearest ZIA Public Service Edge. You can also upload custom PAC files to the Zscaler service.
Using these API resources, you can retrieve the list of hosted PAC files, add custom PAC files, validate the PAC file content and check for errors, branch an existing PAC file to create a new version, retrieve all or specific versions of a PAC file, and delete a PAC file.
To learn more, see:
- Reference Guide > PAC Files
- About Hosted PAC Files
- Using Custom PAC Files to Forward Traffic to ZIA
- Writing a PAC File
- Policy Export
Policy Export API resources allow you to export the rules configured for various policy types to JSON files.
Access to Policy Export resources requires Policy Access (View Only) permission for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
To learn more, see Reference Guide > Policy Export.
Close - Remote Assistance Support
These API resources allow you to update Remote Assistance preferences and retrieve information about the preferences.
To learn more, see:
Close - Rule Labels
Rule Labels API resources allow you to create labels and associate them with URL Filtering policy rules.
To learn more, see:
Close - Sandbox Policy & Settings
Sandbox Policy & Settings API resources allow you to create, read, update, and delete Sandbox policy rules via the
/sandboxRules
endpoints. In addition, these resources allow each organization to create and manage a custom blocklist of MD5 file hashes for files that go through behavioral analysis by Sandbox. To retrieve or replace the custom blocklist, use the/behavioralAnalysisAdvancedSettings
endpoint. To retrieve quota availability information for the MD5 file hashes, use the/behavioralAnalysisAdvancedSettings/fileHashCount
endpoint.You can add up to 10K MD5 file hashes to your custom blocklist.
To learn more, see:
Access to Sandbox Settings resources requires Security functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - Sandbox Report
Sandbox Report API resources allow you to get a full or summary Sandbox Detail Report for any file that was sent for analysis from any organization on the Zscaler cloud.
To learn more, see:
Access to Sandbox Report resources requires Security functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - Security Policy Settings
A denylist is a list of malicious URLs to and from which Zscaler blocks all internet traffic. Zscaler provides a continuously updated global denylist, and each organization can manage a custom denylist. To retrieve or replace a denylist, use the
/security/advanced
endpoint. To add or remove individual URLs in a denylist, use thesecurity/advanced/blacklistUrls
endpoint.An allowlist is a list of URLs that Zscaler exempts from security scanning. Zscaler does not provide a global allowlist, but each organization can manage a custom allowlist. A local allowlist can contain up to 255 URLs. To retrieve or replace an allowlist, use the
/security
endpoint. However, you cannot add or remove individual URLs to an allowlist using the API.For your organization's custom denylist and allowlist, you can add up to 25K custom URLs and IPs across all categories (custom and predefined).
To learn more, see:
Access to Security Policy Settings resources requires the following permissions and scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key):
- API Role > Full Policy Access permissions and Security functional scope
- Admin Role > Full Policy Access permissions and Security functional scope
To learn more, see Getting Started.
- Security Policy Settings Use Cases
- About Policy Enforcement
- Adding URLs to the Denylist
- Adding URLs to the Allowlist
- Shadow IT Report
You can export the Shadow IT Report for the cloud applications that Zscaler recognizes based on their usage in your organization. These reports include various security parameters of the cloud applications, information about users who have interacted with the applications, the list of locations from where the applications are accessed, and application usage details, as applicable.
To learn more, see:
Access to Shadow IT Report resources requires Access Control (Web and Mobile) > Policy and Resource Management functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - SSL Inspection Policy
SSL Inspection Policy API resources allow you to create, update, retrieve, and delete SSL Inspection policy rules and their criteria.
To learn more, see:
Close - URL Categories
Predefined and custom URL categories provide a way to classify URLs for your organization. Using URL Categories API resources, you can:
- Add or remove a URL for a predefined URL category.
- Get information about predefined and custom categories.
- Look up the categorization of specified URLs.
- Add, update, and delete custom categories.
- Update custom categories with IP addresses and URLs.
- Find matching entries for URLs in existing custom URL categories and add related entries to a single category.
To learn more, see:
CloseAccess to URL Categories resources requires the following permissions and scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key):
- API Role > Full Policy Access permissions and Access Control (Web and Mobile) functional scope
- Admin Role > Full Policy Access permissions and Access Control (Web and Mobile) functional scope
To learn more, see Getting Started.
- URL Filtering Policy
URL Filtering Policy API resources allow you to retrieve information about and manage rules that limit your exposure to liability by managing access to web content based on a site's URL categorization.
To learn more, see:
Close - URL & Cloud App Control Policy Settings
These API resources allow you to update the advanced settings available for URL Filtering and Cloud App Control policies and retrieve information about the advanced settings.
To learn more, see:
Close - User Authentication Settings
User Authentication Settings API resources allow you to exempt URLs from cookie authentication.
To learn more, see:
Close - User Management
Using User Management API resources, you can retrieve user, group, and department information as well as add, update, and delete users.
To learn more, see:
Access to User Management resources requires Authentication Configuration > User Management functional scope for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
Close - Workload Groups
Workload Groups API resources allow you to retrieve information about the workload groups configured in the ZIA Admin Portal. The workload groups can be configured as criteria in security policies such as Data Loss Prevention, URL Filtering, SSL Inspection, and Firewall Filtering rules.
To learn more, see:
Reference Guide > Workload Groups
Access to Workload Group resources requires View Only Policy Access permission for the API role (OAuth 2.0 authentication) or admin role (authentication using admin credentials and API key). To learn more, see Getting Started.
- About Workload Groups
- Configuring Workload Groups
Sandbox Submission API
To obtain access to the Sandbox Submission API, contact your Zscaler Account team.
The Sandbox Submission API gives you programmatic access to Zscaler Sandbox, which allows you to submit files to perform behavioral analysis. By default, files are directly submitted to the Sandbox to obtain a verdict. If a verdict already exists for the file, you can optionally force the Sandbox to reanalyze the file. You can submit up to 100 raw and archive files (e.g., ZIP) per day for Sandbox analysis. To learn more about the file types supported, see About Sandbox.
The Sandbox Submission API also allows you to perform out-of-band file inspection to generate real-time verdicts. Zscaler leverages capabilities such as Malware Prevention, Advanced Threat Prevention, Sandbox cloud effect, AI/ML-driven file analysis, and integrated third-party threat intelligence feeds to inspect files and classify them as benign or malicious instantaneously. You can submit raw and archive files (e.g., ZIP), and each file is limited to a maximum size of 400 MB. All file types that are supported by the Malware Protection policy and Advanced Threat Protection policy are supported.
Dynamic file analysis is not included in out-of-band file inspection.
- Reference Guide > Sandbox Submission
- Configuring the Sandbox Policy
- Configuring the Default Sandbox Rule
3rd-Party App Governance API
To access the 3rd-Party App Governance API, you must have an 3rd-Party App Governance trial or license. To obtain a trial or license, contact your Zscaler Account team.
The 3rd-Party App Governance API gives you programmatic access to Zscaler 3rd-Party App Governance, which allows you to search the 3rd-Party App Governance Catalog for an application by name, app ID, or a valid URL (i.e., consent or marketplace link). If the application is not found in the catalog, it is automatically submitted to the 3rd-Party App Governance Sandbox for analysis. After analysis is complete, you can perform a subsequent search for the application and retrieve its information.
The 3rd-Party App Governance API also allows you to retrieve the list of custom views that you have configured in the 3rd-Party App Governance Admin Portal and includes all configurations that define the custom view. You can then retrieve all applications that are related to a specified custom view.
To learn more, see Reference Guide > 3rd-Party App Governance.