Configuring the Postman REST API Client

Zscaler supports the Google Chrome app version and the standalone macOS, Windows, and Linux versions of the Postman REST API client.

The base URLs and references to config.private.zscaler.com within this article differ depending on your organization’s assigned cloud. To learn more, see What Is My Cloud Name for ZPA?

Installing the Standalone Postman app for macOS, Windows, or Linux

To install the Postman app:

  1. Go to the Postman website and download the app for your OS (i.e., macOS, Windows, or Linux).

For example purposes, the following instructions reference the Windows 64-bit version of the app.

  1. Install the app. After installation, the login window appears.
  2. In the login window, create an account and log in.

Configuring the Environment

With Postman installed and opened, you must first create the appropriate environment and add the collection before you can start testing.

To add the environment:

  1. Click Environments in the left navigation pane.
  2. Before selecting a new environment, click on the Menu icon and then complete the following steps:
    1. Click View more actions.
    2. Click Rename and enter a descriptive environment name (e.g., Zscaler Private Access).
  3. Click the environment you renamed. This opens a new tab.
  4. On the opened tab, click Add a new variable under the Variable column.
  5. Enter the text baseUrl.
  6. Under the Initial Value column, enter the base URL (https://config.private.zscaler.com) into the blank field of the environment you want to test in. All API endpoints are relative to the base URL.
  7. Under the Current Value column, click the blank field. The field auto-populates.
  8. Click Save.
  9. In the banner at the top, select the environment you renamed (i.e., Zscaler Private Access) using the drop-down menu.

Adding the Collection

With the environment configured, now you can add the collection. To add the ZPA API collection:

  1. Go to the ZPA API Portal.
  2. Log in using your client ID and client secret to authenticate. To learn more, see About API Key Management.
  3. From the ZPA API Portal, view the Management Configuration and User Management endpoints in plain text format.

If you have not authenticated to the ZPA API Portal, an error message appears.

  1. Select and copy all the endpoints in plain text format.
  2. Click Import in Postman.
  3. Select Raw text, paste the plain text copied from step 4, and then select Continue.
  4. Click Import. The collection is now populated in the left navigation pane.

To access specific coding language scripts, click the Code icon in the toolbar. Select the desired language from the drop-down menu.

When using the code scripts for the API, ZPA does not require the 'cookie' part of the code.

Authenticating a Session in Postman

Before you make an API call in Postman, you have to authenticate a session. Currently, the API to sign in must be created manually.

To create a sign-in request:

  1. Click Collections in the My Workplace left navigation pane.
  2. Right-click the Zscaler Private Access API Portal collection, and then click Add Folder.
  3. Right-click the folder, and then click Rename. Name the folder (e.g., Login Tokens).
  4. Right-click the Zscaler Private Access API Portal collection, and then click Add Request.
  5. Right-click the request, and then click Rename. Name the request (e.g., Login).
  6. Click the new request. A window appears with the request name.
  7. Click the request type drop-down menu, and then select POST.
  8. In the Enter a request URL field, enter {{baseUrl}}/signin.
  9. Click Body, and then click x-www-form-urlencoded.
  10. Under the KEY field, enter client_id.
  11. Under the VALUE field, enter your client ID. To learn more, see About API Key Management.
  12. In the second row for the KEY field, enter client_secret.
  13. In the second row for the VALUE field, enter your client secret. To learn more, see About API Key Management.
  14. Click Send after the sign-in request is complete.

If your API key was set up properly, a successful response returns a Status: 200 OK message, along with your authorization token.

Making an API Call in Postman

Try making an API call using Postman. In the following example, get the global policy set ID for a specific ZPA tenant by sending a GET request to the endpoint /mgmtconfig/v1/admin/customers/:customerId/policySet/global:

  1. Ensure that you can authenticate and log in successfully using the POST request to {{baseUrl}}signin.
  2. Click the Zscaler Private Access API Portal collection > policy Set > Get the global policy.
  3. On the Params tab, verify you are using the correct customerId. To learn more, see About API Key Management.
    1. Under Path Variables, enter your customer ID into the Value field for the customerId Key.
  4. On the Authorization tab, verify the Type is Bearer Token, and that the correct authorization token has been passed.
    1. Copy the bearer token you received from the successful POST request to {{baseUrl}}signin.
    2. Paste the bearer token into the Token field.
  5. Click Send.

A successful response returns a Status: 200 OK message.

By default, the session expiration time is 3,600 seconds (one hour).

Logging Out

To invalidate your authorization token and log out of your API session:

  1. On the My Workplace left-side navigation, click Collections.
  2. Right-click the Zscaler Private Access API Portal collection, and then click Add Folder.
  3. Right-click the folder, and then click Rename. Name the folder (e.g., Logout).
  4. Right-click the Zscaler Private Access API Portal collection, and then click Add Request.
  5. Right-click the request, and then click Rename. Name the request (e.g., Logout).
  6. Click the new request. A tab opens up in the center window with the request name.
  7. Click the request type drop-down menu and select POST.
  8. In the Enter a request URL field, enter {{baseUrl}}/signout.
  9. Under the Auth tab, ensure the Bearer Token Type is selected and the correct authorization token is passed.
  10. Click Send after the sign-out request is complete.

A successful response returns a Status 200: OK message.

After your token is invalidated using the POST request to {{baseUrl}}/signout, you must authenticate and receive a new authorization token to make any further requests.

To learn more about rate limiting and HTTP status codes, see Understanding Rate Limiting and API Response Codes and Error Messages. If you encounter any issues with the API, contact Zscaler Support.