Zscaler OneAPI MCP server

Zscaler OneAPI is a unified API framework that provides seamless access to all Zscaler cloud services through a single interface. An MCP server for OneAPI allows AI agents to orchestrate security policies, manage users, respond to threats, and generate compliance reports across ZIA, ZPA, ZDX, and other Zscaler services without needing separate portal access.

Setting up an MCP server

This article covers the standard steps for creating an MCP server in AI Gateway and connecting it to an AI client. The steps are the same for every integration — application-specific details (API credentials, OAuth endpoints, and scopes) are covered in the individual application pages.

Before you begin

You'll need:

• Access to AI Gateway with permission to create MCP servers
• API credentials for the application you're connecting (see the relevant application page for what to collect)

Create an MCP server

Find the API in the catalog

1. Sign in to AI Gateway and select MCP Servers from the left navigation.
2. Select New MCP Server.
3. Search for the application you want to connect, then select it from the catalog.

Configure the server

1. Enter a Name for your server — something descriptive that identifies both the application and its purpose (for example, "Zendesk Support — Prod").
2. Enter a Description so your team knows what the server is for.
3. Set the Timeout value. 30 seconds works for most APIs; increase to 60 seconds for APIs that return large payloads.
4. Toggle Production mode on if this server will be used in a live workflow.
5. Select Next.

Configure authentication

Enter the authentication details for the application. This varies by service — see the Authentication section of the relevant application page for the specific credentials, OAuth URLs, and scopes to use.

Configure security

1. Set any Rate limits appropriate for your use case and the API's own limits.
2. Enable Logging if you want AI Gateway to record requests and responses for auditing.
3. Select Next.

Deploy

Review the summary, then select Deploy. AI Gateway provisions the server and provides a server URL you'll use when configuring your AI client.

---

Connect to an AI client

Once your server is deployed, you'll need to add it to the AI client your team uses. Select your client for setup instructions:

• Claude Desktop
• Claude Code
• Cursor
• VS Code
• Windsurf

Tips

• You can create multiple MCP servers for the same application — for example, a read-only server for reporting agents and a read-write server for automation workflows.
• If you're unsure which OAuth scopes to request, start with the minimum read-only set and add write scopes only when needed. Most application pages include scope recommendations.
• You can edit a server's name, description, timeout, and security settings after deployment without redeploying.

Authentication

Zscaler OneAPI uses OAuth 2.0 with client credentials flow. The base URL pattern is https://api.{zscaler_cloud}.zscaler.com/v1 where you replace {zscaler_cloud} with your cloud instance. The token endpoint is https://api.{zscaler_cloud}.zscaler.com/v1/oauth/token. Generate OAuth credentials from Administration > API Key Management > OneAPI Credentials in your Zscaler admin console. OneAPI access must be enabled by your Zscaler account team before you can create credentials.

Available tools

The tools enable cross-service user management, unified policy orchestration, real-time threat response, and comprehensive analytics. They allow you to manage users and groups across all services, create policies that span ZIA and ZPA, respond to security incidents automatically, and generate reports for compliance and auditing.

Tool	Description
Service Discovery	Show status of all Zscaler services, check service health
Unified User Management	Create users with cross-service access, disable users across services, manage group permissions
Policy Synchronization	Apply policies across ZIA and ZPA, sync configurations, enforce DLP rules
Threat Response	Block domains across services, quarantine infected endpoints, isolate compromised accounts
Incident Management	Retrieve all security events for users, correlate threats, generate incident reports
Automated Remediation	Block suspicious IPs, revoke compromised credentials, enable enhanced scanning
Unified Analytics	Show cross-service security posture, generate executive dashboards, compare threat trends
Compliance Reporting	Generate compliance reports, show policy violations by department, track data residency
User Performance Metrics	Show user experience scores from ZDX, analyze application performance, track SLA compliance
User Lifecycle	Onboard employees with standard access, provision contractors, offboard users
Policy Automation	Update policies based on threat level, schedule changes, test in sandbox
Active Directory Sync	Sync groups from AD, import users from HRIS, manage group membership
SIEM Integration	Export logs to SIEM, configure webhooks, send security events to external tools

Tips

Use OAuth 2.0 token rotation regularly.

Store credentials securely in a credentials vault rather than in config files.

Implement least privilege by granting only the scopes required for each integration.

Conduct regular access reviews to ensure only necessary permissions remain active.

Monitor API usage patterns for anomalies.

Set up alerts for unusual activity that might indicate a compromised client credential or unauthorized access attempt.

---