zscaler-mcp-server
OfficialServer Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| ZSCALER_CLOUD | No | Cloud override (e.g., beta, zscalertwo); omit for production | |
| ZSCALER_CLIENT_ID | Yes | OneAPI client ID from the ZIdentity console | |
| ZSCALER_CUSTOMER_ID | No | Zscaler customer/tenant ID (required for ZPA tools) | |
| ZSCALER_PRIVATE_KEY | No | PEM-encoded private key for JWT-based OneAPI auth, used in place of ZSCALER_CLIENT_SECRET | |
| ZSCALER_CLIENT_SECRET | No | OneAPI client secret | |
| ZSCALER_VANITY_DOMAIN | Yes | Your organization's vanity domain (e.g., acme) |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": false
} |
| prompts | {
"listChanged": false
} |
| resources | {
"subscribe": false,
"listChanged": false
} |
| experimental | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| zscaler_check_connectivityB | Check connectivity to the Zscaler API. |
| zscaler_get_available_servicesA | Service-level overview of what is loaded in this session: which Zscaler services are callable, which are present but have zero callable tools because the OneAPI credentials are not entitled to them, and which were excluded by configuration. For tool-level discovery, prefer zscaler_list_toolsets. Treat the result as authoritative. |
| zscaler_list_toolsetsA | PRIMARY tool-discovery entry point. Call this FIRST for any user request that needs to find a Zscaler tool. Returns the toolsets this server organises tools into (one per resource family per service, e.g. 'zia_url_filtering', 'zpa_segment_groups'). Each row tells you whether the group is currently loaded, how many tools it contains, and whether it can be enabled in this session. Supports name / description / service substring filters so you can scope the result. Treat 'can_enable: false' as authoritative — the OneAPI credentials cannot access that product, do not retry. |
| zscaler_get_toolset_toolsA | Drill into a specific toolset to see its tools and whether each one can be called right now. Use after zscaler_list_toolsets has identified the relevant toolset. Each result row has 'available' and (when false) 'unavailable_reason'. Treat 'available: false' as authoritative and report the situation to the user instead of attempting to call the tool. Supports name / description substring filters to narrow the result. |
| zscaler_enable_toolsetA | Activate a toolset that was registered but not loaded at startup, so its tools become callable for the rest of the session. Refuses with status 'not_entitled' if the toolset belongs to a product the configured OneAPI credentials cannot access — in that case, report the result to the user and do not retry. |
| zpa_list_application_segmentsA | List ZPA application segments with optional filtering (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_application_segmentA | Get a specific ZPA application segment by ID (read-only) |
| zpa_list_application_segments_baA | List ZPA Browser Access (BA) application segments — the BA-specific counterpart of zpa_list_application_segments. Use only when the admin asks about Browser Access. Supports JMESPath client-side filtering via the query parameter (read-only). |
| zpa_get_application_segment_baA | Get a specific ZPA Browser Access (BA) application segment by ID, including its common_apps_dto.apps_config block (read-only). Use only when the admin asks about Browser Access. |
| zpa_list_application_segments_praA | List ZPA Privileged Remote Access (PRA) application segments — the PRA-specific counterpart of zpa_list_application_segments for RDP/SSH targets brokered through the PRA portal. Use only when the admin asks about Privileged Remote Access (RDP/SSH). Supports JMESPath client-side filtering via the query parameter (read-only). |
| zpa_get_application_segment_praA | Get a specific ZPA Privileged Remote Access (PRA) application segment by ID, including its common_apps_dto.apps_config block of RDP/SSH targets (read-only). Use only when the admin asks about Privileged Remote Access. |
| zpa_list_app_connector_groupsA | List ZPA App Connector Groups (read-only). Returns every connector group in the tenant — id, name, location, country, enrollment cert, server-group memberships. Use this to discover existing connector groups before creating server groups (which require an app_connector_group_id) or before onboarding an application. Supports name search and JMESPath client-side filtering via the query parameter. |
| zpa_get_app_connector_groupA | Get a specific ZPA App Connector Group by ID (read-only). Returns the full record including the enrollmentCertId, server-group memberships, and connector membership. |
| zpa_list_app_connectorsA | List ZPA app connectors with status, version, and health information (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_app_connectorA | Get a specific ZPA app connector by ID with runtime status and control connection state (read-only) |
| zpa_list_server_groupsA | List ZPA server groups (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_server_groupA | Get a specific ZPA server group by ID (read-only) |
| zpa_list_segment_groupsA | List ZPA segment groups (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_segment_groupA | Get a specific ZPA segment group by ID (read-only) |
| zpa_list_application_serversB | List ZPA application servers (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_application_serverA | Get a specific ZPA application server by ID (read-only) |
| zpa_list_service_edge_groupsA | List ZPA service edge groups (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_service_edge_groupB | Get a specific ZPA service edge group by ID (read-only) |
| zpa_list_service_edgesA | List individual ZPA Service Edges (the cloud-hosted broker instances themselves, distinct from their parent service edge groups). Returns runtime status, version, location, enrollment cert, and |
| zpa_get_service_edgeA | Get a specific ZPA Service Edge by ID — full record including control-channel state, runtime status, version, location, enrollment certificate, and parent service edge group membership (read-only). |
| zpa_list_ba_certificatesA | List ZPA browser access certificates (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_ba_certificateA | Get a specific ZPA browser access certificate by ID (read-only) |
| zpa_list_access_policy_rulesA | List ZPA access policy rules (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_access_policy_ruleA | Get a specific ZPA access policy rule by ID (read-only) |
| zpa_list_forwarding_policy_rulesA | List ZPA forwarding policy rules (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_forwarding_policy_ruleA | Get a specific ZPA forwarding policy rule by ID (read-only) |
| zpa_list_timeout_policy_rulesA | List ZPA timeout policy rules (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_timeout_policy_ruleB | Get a specific ZPA timeout policy rule by ID (read-only) |
| zpa_list_isolation_policy_rulesA | List ZPA isolation policy rules (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_isolation_policy_ruleA | Get a specific ZPA isolation policy rule by ID (read-only) |
| zpa_list_app_protection_rulesA | List ZPA app protection rules (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_app_protection_ruleA | Get a specific ZPA app protection rule by ID (read-only) |
| zpa_list_provisioning_keysA | List ZPA provisioning keys (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_provisioning_keyA | Get a specific ZPA provisioning key by ID (read-only) |
| zpa_list_pra_portalsA | List ZPA PRA portals (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_pra_portalA | Get a specific ZPA PRA portal by ID (read-only) |
| zpa_list_pra_credentialsA | List ZPA PRA credentials (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_pra_credentialA | Get a specific ZPA PRA credential by ID (read-only) |
| get_zpa_app_protection_profileC | Manage ZPA App Protection Profiles (Inspection Profiles) (read-only) |
| get_zpa_enrollment_certificateC | Manage ZPA Enrollment Certificates (read-only) |
| get_zpa_isolation_profileB | Manage ZPA Cloud Browser Isolation (CBI) profiles (read-only) |
| get_zpa_posture_profileC | Manage ZPA Posture Profiles (read-only) |
| get_zpa_saml_attributeC | Manage ZPA SAML Attributes (read-only) |
| get_zpa_scim_attributeC | Manage ZPA SCIM Attributes (read-only) |
| get_zpa_scim_groupC | Manage ZPA SCIM Groups (read-only) |
| get_zpa_app_segments_by_typeB | Manage ZPA application segments by type (read-only) |
| get_zpa_trusted_networkB | Manage ZPA Trusted Networks (read-only) |
| zpa_list_lss_configsA | List ZPA Log Streaming Service (LSS) configurations — each record routes a log feed (User Activity, User Status, Audit, App Connector Status/Metrics, Browser Access, Web Inspection, etc.) from ZPA to a customer-side LSS Connector / SIEM. Read-only configuration; does not return log content. Supports JMESPath client-side filtering via the query parameter. |
| zpa_get_lss_configA | Get a specific ZPA LSS configuration by ID, including source log type, log format template, destination host/port, TLS setting, associated App Connector Groups, policy-rule scope, and filter status codes (read-only). |
| zpa_list_lss_log_typesA | List the human-readable LSS source log types supported by ZPA (e.g. user_activity, user_status, audit_logs, app_connector_status, app_connector_metrics, browser_access, web_inspection, private_svc_edge_status). Use these values when authoring an LSS config or when verifying baseline log-feed coverage (read-only). |
| zpa_get_lss_log_formatA | Get the pre-configured LSS log format templates (csv / json / tsv) for a given source log type. Useful for confirming exactly which fields ZPA serializes into the SIEM stream (read-only). |
| zpa_list_lss_status_codesA | List ZPA LSS session status codes used in LSS config filters. Returns code → metadata (including which log types each code applies to). Use when authoring a status-code filter or when interpreting a streamed event (read-only). |
| zpa_list_lss_client_typesA | List ZPA LSS client types for the current customer (e.g. web_browser, client_connector, machine_tunnel, zpa_lss). Returns the human-readable name → internal identifier mapping used in LSS policy-rule conditions (read-only). |
| zdx_list_devicesB | List ZDX devices with optional filtering (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_get_deviceB | Get a specific ZDX device by ID (read-only) |
| zdx_list_departmentsA | List ZDX departments (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_list_locationsA | List ZDX locations (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_get_application_metricB | Get ZDX metrics for a specified application (read-only) |
| zdx_get_applicationB | Get ZDX application details (read-only) |
| zdx_get_application_score_trendB | Get ZDX application score trend (read-only) |
| zdx_list_application_usersB | List users for a ZDX application (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_get_application_userA | Get a specific ZDX application user (read-only) |
| zdx_list_alertsA | List ZDX alerts (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_get_alertA | Get a specific ZDX alert by ID (read-only) |
| zdx_list_alert_affected_devicesA | List devices affected by a ZDX alert (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_list_applicationsA | List ZDX applications (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_list_device_deep_tracesA | List ZDX deep traces for a device (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_get_device_deep_traceA | Get a specific ZDX deep trace by ID (read-only) |
| zdx_list_deeptrace_top_processesA | Get top processes from a ZDX deep trace session (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_get_deeptrace_webprobe_metricsB | Get web probe metrics from a ZDX deep trace session (read-only) |
| zdx_get_deeptrace_cloudpath_metricsA | Get cloud path metrics from a ZDX deep trace session (read-only) |
| zdx_get_deeptrace_cloudpathA | Get cloud path topology from a ZDX deep trace session (read-only) |
| zdx_get_deeptrace_health_metricsA | Get health metrics from a ZDX deep trace session (read-only) |
| zdx_get_deeptrace_eventsB | Get events from a ZDX deep trace session (read-only) |
| zdx_get_analysisA | Get status of a ZDX score analysis (read-only) |
| zdx_get_web_probesA | Get web probes for an app on a device - returns web_probe_id needed for zdx_start_deeptrace (read-only) |
| zdx_list_cloudpath_probesA | List cloud path probes for an app on a device - returns cloudpath_probe_id needed for zdx_start_deeptrace (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_list_historical_alertsB | List ZDX historical alerts (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_list_softwareA | List ZDX software inventory (read-only) Supports JMESPath client-side filtering via the query parameter. |
| zdx_get_software_detailsB | Get details for specific ZDX software (read-only) |
| zins_get_web_traffic_by_locationB | Provides web traffic analytics grouped by location, including traffic volume, bandwidth usage, and office traffic comparisons. |
| zins_get_web_traffic_no_groupingA | Provides total web traffic volume metrics without grouping, including aggregate bandwidth and overall web usage statistics. |
| zins_get_web_protocolsA | Provides web protocol distribution analytics (HTTP, HTTPS, SSL), including protocol usage and HTTPS adoption metrics. |
| zins_get_threat_super_categoriesC | Provides threat super-category analytics including malware, phishing, spyware, and other threat types detected across the tenant. |
| zins_get_threat_classA | Provides detailed threat classification analytics including virus, trojan, ransomware, and other malware type breakdowns. |
| zins_get_cyber_incidentsC | Provides cybersecurity incidents grouped by category, including security events, cyber attacks, and incident breakdowns. |
| zins_get_cyber_incidents_by_locationA | Provides cybersecurity incidents grouped by location, showing incident distribution across offices and sites. |
| zins_get_cyber_incidents_dailyB | Provides daily cybersecurity incident trends, showing incident patterns and security statistics over time. |
| zins_get_cyber_incidents_by_threat_and_appB | Provides cybersecurity incidents correlated by threat type and application, showing which apps are targeted and threat-application relationships. |
| zins_get_firewall_by_actionB | Provides Zero Trust Firewall traffic analytics by action (allow/block), including blocked traffic volume and firewall policy effectiveness. |
| zins_get_firewall_by_locationA | Provides Zero Trust Firewall traffic analytics grouped by location, including firewall activity by office and branch. |
| zins_get_firewall_network_servicesB | Provides firewall network service usage analytics, including port usage, protocol activity, and service breakdowns. |
| zins_get_casb_app_reportA | Provides CASB SaaS application usage analytics, including cloud app usage and cloud service adoption metrics. |
| zins_get_shadow_it_appsB | Provides discovered shadow IT applications with risk scores, including unsanctioned and unauthorized application detection. |
| zins_get_shadow_it_summaryA | Provides shadow IT summary statistics, including total shadow apps, app categories, and risk distribution overview. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/zscaler/zscaler-mcp-server'
If you have feedback or need assistance with the MCP directory API, please join our Discord server