Zscaler OneAPI MCP Server

Create a powerful Model Context Protocol (MCP) server for Zscaler OneAPI in minutes with our AI Gateway. This guide walks you through setting up unified security orchestration across all Zscaler services with enterprise-grade authentication.

About Zscaler OneAPI

Zscaler OneAPI is a unified API framework that provides seamless access to all Zscaler cloud services through a single interface. It enables comprehensive security orchestration across Zscaler's Zero Trust Exchange platform.

Key Capabilities

• Service Discovery: Dynamic discovery of available Zscaler services
• Unified User Management: Manage users across ZIA, ZPA, ZDX, and ZCP
• Policy Orchestration: Create and manage policies spanning multiple services
• Real-time Analytics: Cross-service analytics and threat intelligence
• Event Streaming: Real-time security events and system notifications
• Configuration Management: Import/export configurations across services
• Multi-tenant Support: Manage multiple organizations and tenants
• Audit & Compliance: Comprehensive audit logging and reporting

API Features

• OAuth 2.0 Authentication: Secure client credentials flow
• RESTful Interface: Modern REST API principles
• Rate Limiting: 1000 requests/minute with burst allowance
• Event Streaming: Server-Sent Events for real-time updates
• Batch Operations: Efficient bulk operations
• Service Health Monitoring: Real-time service status
• Comprehensive Scopes: Granular permission control
• Multi-cloud Support: Works across all Zscaler cloud instances

What You Can Do with Zscaler OneAPI MCP Server

The MCP server transforms Zscaler's unified API into a natural language interface, enabling AI agents to:

Cross-Service Operations

• Service Management

  • "Show status of all Zscaler services"
  • "Enable ZDX monitoring for all ZPA users"
  • "Sync user configurations from ZIA to ZPA"
  • "Check service health across all platforms"

• Unified User Management

  • "Create user with access to ZIA and ZPA"
  • "Disable all services for terminated employees"
  • "List users with admin privileges across services"
  • "Bulk update user departments and locations"

• Policy Synchronization

  • "Apply web filtering policy to all remote users"
  • "Create unified access policy for sales team"
  • "Sync firewall rules from ZIA to cloud workloads"
  • "Enforce DLP policies across all services"

Security Orchestration

• Threat Response

  • "Block malicious domain across all services"
  • "Isolate compromised user accounts"
  • "Quarantine infected endpoints"
  • "Update threat feeds in real-time"

• Incident Management

  • "Get all security events for user john@company.com"
  • "Correlate threats across ZIA and ZPA"
  • "Generate incident report for last 24 hours"
  • "Track lateral movement attempts"

• Automated Remediation

  • "Block all traffic from suspicious IP"
  • "Revoke access for compromised credentials"
  • "Enable enhanced scanning for high-risk users"
  • "Trigger security playbooks"

Analytics & Reporting

• Unified Analytics

  • "Show security posture across all services"
  • "Generate executive dashboard for this month"
  • "Compare threat trends week over week"
  • "Analyze bandwidth usage by service"

• Compliance Reporting

  • "Generate compliance report for audit"
  • "Show policy violations by department"
  • "Track data residency compliance"
  • "Monitor privileged access usage"

• Performance Metrics

  • "Show user experience scores from ZDX"
  • "Analyze application performance metrics"
  • "Track SLA compliance for critical apps"
  • "Monitor cloud connector health"

Automation Workflows

• User Lifecycle

  • "Onboard new employee with standard access"
  • "Provision contractor with limited permissions"
  • "Offboard user and revoke all access"
  • "Transfer user permissions to manager"

• Policy Automation

  • "Update policies based on threat level"
  • "Schedule policy changes for maintenance"
  • "Roll back to previous configuration"
  • "Test policy changes in sandbox"

• Integration Scenarios

  • "Sync with Active Directory groups"
  • "Import users from HRIS system"
  • "Export logs to SIEM platform"
  • "Integrate with ticketing system"

Zero Trust Implementation

• Access Control

  • "Implement least privilege for developers"
  • "Create context-aware access policies"
  • "Enable MFA for sensitive applications"
  • "Set up conditional access rules"

• Micro-segmentation

  • "Segment applications by criticality"
  • "Create security zones for departments"
  • "Isolate development from production"
  • "Implement app-to-app segmentation"

• Trust Verification

  • "Verify device posture before access"
  • "Check user risk score continuously"
  • "Validate application identity"
  • "Monitor trust levels in real-time"

Prerequisites

• Access to Cequence AI Gateway
• Zscaler OneAPI access enabled by your Zscaler representative
• OAuth 2.0 client credentials (Client ID and Secret)
• Your Zscaler cloud instance identifier
• Appropriate admin permissions

Step 1: Obtain Zscaler OneAPI Credentials

1.1 Contact Zscaler Support

1. Contact your Zscaler account team
2. Request OneAPI access enablement
3. Specify required services (ZIA, ZPA, ZDX, ZCP)
4. Request OAuth 2.0 client credentials

1.2 Access Zscaler Admin Portal

1. Log in to your Zscaler admin console
2. Navigate to Administration API Key Management
3. Click OneAPI Credentials

1.3 Create OAuth Application

1. Click Add OAuth Application
2. Configure application:
   • Name: "AI Gateway MCP Integration"
   • Description: "MCP server for security orchestration"
   • Grant Type: Client Credentials
   • Scopes: Select required scopes (see scopes section)
3. Click Save

1.4 Save Credentials

1. Copy Client ID
2. Copy Client Secret (shown only once)
3. Note your Cloud Instance (e.g., zscaler, zscalerone)
4. Record the Token URL format

Step 2-4: Standard Setup

Follow standard steps to access AI Gateway, find Zscaler OneAPI, and create MCP server.

Step 5: Configure API Endpoints

1. Base URL:

   https://api.{zscaler_cloud}.zscaler.com/v1

   Replace {zscaler_cloud} with your instance

2. Select endpoint categories:

   • Service Discovery
   • User Management
   • Policy Management
   • Analytics
   • Events & Audit
   • Configuration Management

3. Click Next

Step 6: MCP Server Configuration

1. Name: "Zscaler Security Orchestration"
2. Description: "Unified security management across Zscaler services"
3. Production Mode: Toggle based on environment
4. Click Next

Step 7: Configure Authentication

1. Authentication Type: OAuth 2.0
2. Token URL:

   https://api.{zscaler_cloud}.zscaler.com/v1/oauth/token

3. Client ID: Enter your OAuth client ID
4. Client Secret: Enter your OAuth client secret
5. Select required scopes

Available Zscaler OneAPI Scopes

Core Access

• oneapi:read

  • Read access to all OneAPI resources
  • View configurations and policies
  • Access analytics and reports
  • Read audit logs

• oneapi:write

  • Write access to all OneAPI resources
  • Create and modify policies
  • Update configurations
  • Manage users and groups

• oneapi:admin

  • Full administrative access
  • Tenant management
  • Service configuration
  • Critical operations

Service-Specific Scopes

• zia:read / zia:write

  • ZIA-specific operations
  • URL filtering and firewall rules
  • SSL inspection settings
  • Bandwidth policies

• zpa:read / zpa:write

  • ZPA-specific operations
  • Application segments
  • Access policies
  • Connector management

• zdx:read / zdx:write

  • ZDX-specific operations
  • User experience monitoring
  • Application performance
  • Endpoint metrics

Specialized Scopes

• analytics:read

  • Access to analytics data
  • View reports and dashboards
  • Export metrics
  • Trend analysis

• events:read

  • Real-time event access
  • Audit log viewing
  • Security alerts
  • System notifications

• config:read / config:write

  • Configuration management
  • Import/export settings
  • Backup operations
  • Template management

Recommended Scope Combinations

For Security Operations:

oneapi:read
oneapi:write
analytics:read
events:read

For Full Administration:

oneapi:admin
config:read
config:write

For Read-Only Monitoring:

oneapi:read
analytics:read
events:read

Step 8-10: Complete Setup

Configure security settings, choose deployment method, and deploy your MCP server.

Using Your Zscaler OneAPI MCP Server

With Claude Desktop

{
  "servers": {
    "zscaler-oneapi": {
      "url": "your-mcp-server-url",
      "auth": {
        "type": "oauth2",
        "client_id": "your-client-id"
      }
    }
  }
}

Natural Language Commands

• "Show security status across all Zscaler services"
• "Create user john@company.com with standard remote access"
• "Block malicious-domain.com in all services"
• "Generate security report for the last 7 days"
• "List all users who accessed sensitive apps today"

API Integration Example

// Initialize MCP client
const mcpClient = new MCPClient({
  serverUrl: 'your-mcp-server-url',
  auth: {
    type: 'oauth2',
    client_credentials: {
      client_id: 'your-client-id',
      client_secret: 'your-client-secret'
    }
  }
});

// Check service status
const services = await mcpClient.zscaler.services.list();
console.log('Available services:', services);

// Create user across services
const user = await mcpClient.zscaler.users.create({
  email: 'newuser@company.com',
  name: 'New User',
  department: 'Engineering',
  services: {
    zia: { enabled: true, groups: ['developers'] },
    zpa: { enabled: true, applications: ['github', 'jira'] }
  }
});

// Get unified analytics
const analytics = await mcpClient.zscaler.analytics.overview({
  timeRange: 'day',
  services: ['zia', 'zpa']
});

// Stream security events
const eventStream = await mcpClient.zscaler.events.stream({
  services: ['zia', 'zpa'],
  severity: 'high'
});

eventStream.on('event', (event) => {
  console.log('Security event:', event);
});

// Create security policy
const policy = await mcpClient.zscaler.policies.create({
  name: 'Block Malicious Sites',
  type: 'url-filtering',
  service: 'zia',
  rules: [{
    action: 'block',
    categories: ['malware', 'phishing']
  }],
  appliedTo: { groups: ['all-users'] }
});

Common Use Cases

Security Operations Center (SOC)

• Real-time threat monitoring
• Automated incident response
• Cross-service correlation
• Security orchestration

Identity & Access Management

• User lifecycle automation
• Privilege management
• Access reviews
• Compliance auditing

Cloud Migration

• Workload protection
• Application discovery
• Zero trust implementation
• Performance monitoring

Compliance & Governance

• Policy enforcement
• Audit reporting
• Data residency
• Risk assessment

Security Best Practices

1. Credential Management:

   • Store credentials in secure vault
   • Rotate client secrets regularly
   • Use least privilege scopes
   • Monitor API usage

2. Access Control:

   • Implement IP restrictions
   • Use service accounts
   • Enable MFA for admin access
   • Regular access reviews

3. Monitoring:

   • Track API calls
   • Monitor rate limits
   • Alert on anomalies
   • Audit all changes

Troubleshooting

Common Issues

1. Authentication Failed

   • Verify client credentials
   • Check cloud instance URL
   • Ensure OneAPI is enabled
   • Validate scopes

2. Service Unavailable

   • Check service status
   • Verify network connectivity
   • Review maintenance windows
   • Contact support

3. Rate Limit Exceeded

   • Implement backoff strategy
   • Use batch operations
   • Cache frequently accessed data
   • Request limit increase

Getting Help

• Documentation: AI Gateway Docs
• Support: support@cequence.ai
• Zscaler Help: help.zscaler.com
• API Reference: Available in AI Gateway portal

---