• API Developer & Reference Guide
    • Reference Guide
        • Login Controller
        • Public API Controller
          • /papi/public/v1/downloadDevices
          • /papi/public/v1/downloadServiceStatus
          • /papi/public/v1/editAdminUser
          • /papi/public/v1/forceRemoveDevices
          • /papi/public/v1/getAdminRoles
          • /papi/public/v1/getAdminUsers
          • /papi/public/v1/getAdminUsersSyncInfo
          • /papi/public/v1/getCompanyInfo
          • /papi/public/v1/getDeviceCleanupInfo
          • /papi/public/v1/getDeviceDetails
          • /papi/public/v1/getDevices
          • /papi/public/v1/getOtp
          • /papi/public/v1/getPasswords
          • /papi/public/v1/getWebPrivacyInfo
          • /papi/public/v1/getZdxGroupEntitlements
          • /papi/public/v1/getZpaGroupEntitlements
          • /papi/public/v1/removeDevices
          • /papi/public/v1/removeMachineTunnel
          • /papi/public/v1/setDeviceCleanupInfo
          • /papi/public/v1/setWebPrivacyInfo
          • /papi/public/v1/syncZiaZdxAdminUsers
          • /papi/public/v1/syncZpaAdminUsers
          • /papi/public/v1/updateZdxGroupEntitlement
          • /papi/public/v1/updateZpaGroupEntitlement
          • /papi/public/v1/web/policy/activate
          • /papi/public/v1/web/policy/edit
          • /papi/public/v1/web/policy/listByCompany
          • /papi/public/v1/web/policy/{policyId}/delete
          • /papi/public/v1/webAppService/listByCompany
          • /papi/public/v1/webFailOpenPolicy/edit
          • /papi/public/v1/webFailOpenPolicy/listByCompany
          • /papi/public/v1/webForwardingProfile/edit
          • /papi/public/v1/webForwardingProfile/listByCompany
          • /papi/public/v1/webForwardingProfile/{profileId}/delete
          • /papi/public/v1/webTrustedNetwork/create
          • /papi/public/v1/webTrustedNetwork/edit
          • /papi/public/v1/webTrustedNetwork/listByCompany
          • /papi/public/v1/webTrustedNetwork/{networkId}/delete

Getting Started

Your organization must meet the following prerequisites before you can access the Zscaler Client Connector API:

  • You must enable the API for your organization. To enable the API, contact Zscaler Support or submit a Zscaler Support ticket.
  • Add an API key.

If you need to obtain API keys, authenticate into, and make calls using Zscaler OneAPI endpoints, see About API Clients in ZIdentity and Getting Started with OneAPI.

After these prerequisites are met, you can:

  • The base URI for the API is /public/v1 for the following:

    • The endpoint to get a one-time password (OTP).
    • The endpoint to get all passwords in the app profiles.
    • The endpoint to get device details.
    • The endpoint to remove devices from the Zscaler Client Connector Portal.

    To learn more, see Zscaler Client Connector API Reference Guide.

    Close

  • Before executing any API calls, you must first authenticate via the API. Send a POST request to the /login endpoint with the following parameters:

    • apiKey: A string that contains the API client ID. To learn more, see About API Key Management.
    • secretKey: A string that contains the client secret. The client secret is only available to copy when adding an API key.

    Before making any API calls, you must retrieve your authorization token (JWT Token<jwtToken>). The authorization token is passed onto subsequent calls for authentication.

    To authenticate via the API, use the following Python script to sign in and get the JWT Token<jwtToken>. In your script, enter the actual API key and actual secret key. These are highlighted in red.

    import requests
url = "https://mobile.<cloudName>.net/papi/auth/v1/login"
payload={"apiKey":"{apiKey}","secretKey":"{secretKey}"}
headers = {
          'Content-Type': 'application/json'
          }
response = requests.request("POST", url, headers=headers, json=payload)
print(response.text)

    Example POST request for sign-in using a Python script:

    import requests
url = "https://mobile.<cloudName>.net/papi/auth/v1/login"
payload={"apiKey":"b26j87u0-51n5-4th3-p278-m2b6usl9ca11","secretKey":"42bjp311-51j8-4s61-95jx-n7bbx10e5130"}
headers = {
          'Content-type': 'application/json'
          }
response = requests.request("POST", url, headers=headers, json=payload)
print(response.text)

    The client secret (i.e., secret key) is only accessible within the Zscaler Client Connector Portal when the API key is created for the first time. Ensure to copy your client secret to the clipboard when you first create your API key. The authentication token expiry time is set to 3600 seconds (one hour) by default.

    Close

  • After you have your authorization token, you can make an API call. Send a GET request to the /getOtp endpoint to get a one-time password for a specific device.

    Use the following Python script to get a one-time password. In your script, enter the actual Unique Device Identifier (UDID) and JWT token. These are highlighted in red.

    import requests 
url = "https://mobile.<cloudName>.net/papi/public/v1/getOtp?udid={udid}" 
headers = { 
  "auth-token":"{jwtToken}" 
} 
response = requests.request("GET", url, headers=headers) 
print(response.text)

    Example GET request to get the OTP using a Python script:

    import requests
url = "https://mobile.<cloudName>.net/papi/public/v1/getOtp?udid=253B446D-D4A2-1F3E-DFAC-A51EDA415A55:705"
headers = {
  "auth-token":"eyJraWQiOiI0bzZFS1k4STFqS1kwN2tQdjlqWV9"
}
response = requests.request("GET", url, headers=headers)
print(response.text)

    When making API calls, consider the following best practices:

    • Use UTF-8 encoding for all endpoints (e.g., use the encodeUriComponent() function in JavaScript to encode to UTF-8).
    • When updating a resource, always send a GET request before the PUT or POST request. This retrieves the current values for the resource before you update the entire resource with new values. After the update, the next GET request for that resource returns the new values. By using this practice, you avoid potentially missing updates between GET and PUT or POST calls.
    • Prevent API call caching by adding a dummy argument with a randomly generated number to all URL request strings. For example: GET /getOtp?_=123456?
    • Create a dedicated user for each script. Don't use the same keys in multiple scripts that are running concurrently.
    Close

To learn more about rate limits and HTTP status codes, see Understanding Rate Limiting and About Error Codes. If you encounter any issues with the API, contact Zscaler Support.