Skip to content

Zscaler Admin API Token

Service Name: Zscaler

Service Description: Zscaler is a cloud security platform that provides secure access to the internet and applications. It offers a range of security services including secure web gateway, cloud firewall, sandbox, CASB, and zero trust network access.

Service Address: https://www.zscaler.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the admin portal level through admin settings.

Secret Access Scope: Grants programmatic access to Zscaler Admin APIs, allowing management of Zscaler services, policies, and configurations.

Secret Revokement URL: https://help.zscaler.com/zia/api-getting-started#APIAuthentication

Secret Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ6c2NhbGVyYWRtaW4iLCJpYXQiO jE2MzQ1Njc4OTAsImV4cCI6MTYzNDU3MTQ5MH0.EXAMPLE_TOKEN

Suspicious Activity Investigation Instructions:

  • Review Zscaler audit logs for unusual API calls or configuration changes
  • Check for unauthorized policy modifications or rule changes
  • Monitor for unexpected user permission changes or new admin accounts
  • Look for unusual traffic patterns or policy bypasses
  • Verify if there are any unauthorized IP addresses accessing the admin API

Mitigation Instructions:

  • Log in to the Zscaler Admin Portal
  • Navigate to Administration > API Key Management
  • Locate the compromised API key and click "Revoke"
  • Generate a new API key if needed
  • Update any legitimate applications or scripts with the new API key
  • Review and update admin access policies
  • Enable multi-factor authentication for all admin accounts if not already enabled
  • Consider implementing IP restrictions for API access