> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Zscaler

> Connect Zscaler OneAPI to Serval with a ZIdentity API client so workflows can review ZIA and ZPA configuration live.

## About Zscaler

Zscaler is a zero trust security platform for internet access, private access, digital experience, and cloud security. Serval connects through Zscaler OneAPI using a ZIdentity API client, then runs workflows against your tenant on demand.

**Authentication:** OAuth 2.0 client credentials from ZIdentity. Serval stores your Client ID, Client Secret, vanity domain, and cloud setting, then exchanges them for short-lived access tokens during workflow runs.

**Data sync:** on demand only. Serval does not run a background sync for Zscaler; workflows call OneAPI live.

## What the Zscaler integration enables

| Capability                   | Description                                                                                                    |
| ---------------------------- | -------------------------------------------------------------------------------------------------------------- |
| Review ZIA status            | Check whether ZIA configuration is active or waiting for activation.                                           |
| Audit ZIA admins and roles   | List administrator users and role summaries for access reviews.                                                |
| Export ZIA audit logs        | Create, check, and download administrator audit log reports for a chosen time range.                           |
| Inspect ZIA policy inventory | List locations and URL categories used by ZIA policy.                                                          |
| Inspect ZPA inventory        | List ZPA customers, application segments, segment groups, server groups, app connectors, and posture profiles. |

## Get your credentials

You need a ZIdentity API client with access to the Zscaler APIs your workflows will call.

<Steps>
  <Step title="Create or choose a ZIdentity API client">
    In ZIdentity, create an API client for Serval or choose an existing automation client.
  </Step>

  <Step title="Grant API resource access">
    Add the ZIA and ZPA API resources required for the workflows you plan to run. Start with
    read-only access for inventory workflows.
  </Step>

  <Step title="Copy the Client ID and Client Secret">
    Copy the Client ID and Client Secret. Store the Client Secret before leaving the creation
    screen.
  </Step>

  <Step title="Record your vanity domain">
    Record the vanity domain prefix from your token URL. For
    `https://acme.zslogin.net/oauth2/v1/token`, enter `acme` in Serval.
  </Step>

  <Step title="Record your ZPA customer ID">
    If you plan to run ZPA workflows, copy the ZPA customer ID from the ZPA Admin Portal.
  </Step>
</Steps>

## Connect in Serval

<Steps>
  <Step title="Open the Zscaler connect form">
    In Serval, open the Zscaler integration and start a new connection.
  </Step>

  <Step title="Enter the instance name">Use a name like `Production` or `Corporate`.</Step>
  <Step title="Enter the vanity domain">Enter only the vanity prefix, such as `acme`.</Step>

  <Step title="Enter the cloud">
    Leave this blank for production. Enter values like `beta` or `alpha` only when your Zscaler
    tenant uses that OneAPI cloud. GOV and GOVUS tenants are not supported by Zscaler OneAPI.
  </Step>

  <Step title="Enter the client credentials">Paste the ZIdentity Client ID and Client Secret.</Step>

  <Step title="Optionally enter ZPA fields">
    Enter the ZPA customer ID and microtenant ID if you want them stored on the connection. ZPA
    workflows also ask for the customer ID explicitly.
  </Step>
</Steps>

## Verifying the connection

The Zscaler integration ships health checks for OneAPI status, ZIA admin users, ZIA admin roles, and ZIA locations. If a check fails, verify that the vanity domain, cloud, client credentials, and ZIdentity API resource grants match the Zscaler tenant you are connecting.

## Audit log reports

Serval can create a ZIA administrator audit log report for an epoch timestamp range, check the report generation status, and download the latest generated report. Creating a new ZIA audit log report overwrites the previous generated report in Zscaler.

<Note>
  These workflows use Zscaler's audit report API. They do not replace NSS, LSS, or Cloud NSS
  streaming for web, firewall, DNS, or ZPA activity logs.
</Note>

<Warning>
  ZPA workflows require a ZPA customer ID. The ID is part of each ZPA request path and is not
  interchangeable with the Serval integration ID or ZIA organization IDs.
</Warning>
