About Zscaler
Zscaler is a zero trust security platform for internet access, private access, digital experience, and cloud security. Serval connects through Zscaler OneAPI using a ZIdentity API client, then runs workflows against your tenant on demand. Authentication: OAuth 2.0 client credentials from ZIdentity. Serval stores your Client ID, Client Secret, vanity domain, and cloud setting, then exchanges them for short-lived access tokens during workflow runs. Data sync: on demand only. Serval does not run a background sync for Zscaler; workflows call OneAPI live.What the Zscaler integration enables
| Capability | Description |
|---|---|
| Review ZIA status | Check whether ZIA configuration is active or waiting for activation. |
| Audit ZIA admins and roles | List administrator users and role summaries for access reviews. |
| Export ZIA audit logs | Create, check, and download administrator audit log reports for a chosen time range. |
| Inspect ZIA policy inventory | List locations and URL categories used by ZIA policy. |
| Inspect ZPA inventory | List ZPA customers, application segments, segment groups, server groups, app connectors, and posture profiles. |
Get your credentials
You need a ZIdentity API client with access to the Zscaler APIs your workflows will call.Create or choose a ZIdentity API client
In ZIdentity, create an API client for Serval or choose an existing automation client.
Grant API resource access
Add the ZIA and ZPA API resources required for the workflows you plan to run. Start with
read-only access for inventory workflows.
Copy the Client ID and Client Secret
Copy the Client ID and Client Secret. Store the Client Secret before leaving the creation
screen.
Record your vanity domain
Record the vanity domain prefix from your token URL. For
https://acme.zslogin.net/oauth2/v1/token, enter acme in Serval.Connect in Serval
Enter the cloud
Leave this blank for production. Enter values like
beta or alpha only when your Zscaler
tenant uses that OneAPI cloud. GOV and GOVUS tenants are not supported by Zscaler OneAPI.Verifying the connection
The Zscaler integration ships health checks for OneAPI status, ZIA admin users, ZIA admin roles, and ZIA locations. If a check fails, verify that the vanity domain, cloud, client credentials, and ZIdentity API resource grants match the Zscaler tenant you are connecting.Audit log reports
Serval can create a ZIA administrator audit log report for an epoch timestamp range, check the report generation status, and download the latest generated report. Creating a new ZIA audit log report overwrites the previous generated report in Zscaler.These workflows use Zscaler’s audit report API. They do not replace NSS, LSS, or Cloud NSS
streaming for web, firewall, DNS, or ZPA activity logs.

