Zscaler Zero Trust Exchange

Name: Zscaler Zero Trust Exchange
Author: zscaler

by zscalercommunityv0.10.0

The Zscaler MCP server is a Model Context Protocol server that connects AI agents with the Zscaler Zero Trust Exchange platform, operating in read-only mode by default for security.

From the registry: Manage Zscaler Zero Trust Exchange via 280+ tools — ZPA, ZIA, ZDX, ZCC, EASM, and more.

GitHub Repository Website

Install & configure

Prerequisites

required
Python 3.11+
Python 3.11 or higher is required
https://www.python.org/
optional
uv
uv package manager is recommended
```
$ curl -LsSf https://astral.sh/uv/install.sh | sh
```
https://docs.astral.sh/uv/
required
Zscaler API credentials
OneAPI credentials (ZSCALER_CLIENT_ID, ZSCALER_CLIENT_SECRET, ZSCALER_CUSTOMER_ID, ZSCALER_VANITY_DOMAIN) from your Zscaler tenant
https://zscaler-mcp-server.readthedocs.io/

Install in your client

Paste into the AI you're chatting with — it will figure out the rest

Please install the `zscaler-mcp-server` MCP server into my current AI client (that's you).

Required prerequisites (do these first if not already done):
- **Python 3.11+** — Python 3.11 or higher is required (https://www.python.org/)
- **Zscaler API credentials** — OneAPI credentials (ZSCALER_CLIENT_ID, ZSCALER_CLIENT_SECRET, ZSCALER_CUSTOMER_ID, ZSCALER_VANITY_DOMAIN) from your Zscaler tenant (https://zscaler-mcp-server.readthedocs.io/)

Optional prerequisites:
- uv — uv package manager is recommended Run: `curl -LsSf https://astral.sh/uv/install.sh | sh` (https://docs.astral.sh/uv/)

Canonical MCP server config (stdio transport):
- command: `uvx`
- args: ["zscaler-mcp"]
- required environment variables:
  - `ZSCALER_CLIENT_ID`: Zscaler OAuth client ID (OneAPI) (example: `<your_client_id>`)
  - `ZSCALER_CLIENT_SECRET`: Zscaler OAuth client secret (OneAPI) (example: `<your_client_secret>`)
  - `ZSCALER_CUSTOMER_ID`: Your Zscaler customer ID (example: `<your_customer_id>`)
  - `ZSCALER_VANITY_DOMAIN`: Your Zscaler vanity domain (example: `<your_vanity_domain>`)
- optional environment variables:
  - `ZSCALER_CLOUD`: Zscaler cloud environment (e.g. beta). Required only for Beta Tenant. (example: `beta`)
  - `ZSCALER_MCP_WRITE_ENABLED`: Set to true to enable write operations (requires ZSCALER_MCP_WRITE_TOOLS allowlist) (example: `true`)
  - `ZSCALER_MCP_WRITE_TOOLS`: Mandatory allowlist pattern when write mode enabled (e.g. zpa_create_*,zpa_delete_*) (example: `zpa_create_*`)

Note: 300+ tools for Zscaler Zero Trust Exchange (ZIA, ZPA, ZDX, ZMS, ZTW, Z-Insights, ZIdentity, EASM, ZCC). Read-only by default — write mode requires both --enable-write-tools flag and explicit --write-tools allowlist. Supports sse and streamable-http transports for remote deployment. Docker image available at ghcr.io/zscaler/zscaler-mcp.

Add this MCP server to my current client's config in the correct format for you. If you need secrets or credentials I haven't provided, ASK me — do not invent values or leave raw placeholders. After adding it, tell me how to verify the server is connected.

Note: 300+ tools for Zscaler Zero Trust Exchange (ZIA, ZPA, ZDX, ZMS, ZTW, Z-Insights, ZIdentity, EASM, ZCC). Read-only by default — write mode requires both --enable-write-tools flag and explicit --write-tools allowlist. Supports sse and streamable-http transports for remote deployment. Docker image available at ghcr.io/zscaler/zscaler-mcp.