Zscaler MCP Server
zscaler-mcp-server is a Model Context Protocol (MCP) server that connects AI agents with the Zscaler Zero Trust Exchange platform.
By default, the server operates in read-only mode for security, requiring explicit opt-in to enable write operations.
This project is in public preview and under active development. Features and functionality may change before the stable 1.0 release. Avoid production deployments and please share feedback through GitHub Issues.
What it does
The Zscaler MCP Server brings context to your AI agents. Try prompts like:
- "List my ZPA application segments"
- "List my ZPA segment groups"
- "List my ZIA rule labels"
- "Show the ZDX experience score for my San Francisco office in the last 24 hours"
It exposes 300+ tools across every major Zscaler product, behind a single MCP interface that any MCP-compatible client (Claude Desktop, Claude Code, Cursor, Gemini CLI, Kiro IDE, VS Code + Copilot) can speak.
Supported services
| Service | Code | Description |
|---|---|---|
| ZPA | Zscaler Private Access | Application segments, server groups, access policies, app connector groups, PRA |
| ZIA | Zscaler Internet Access | URL filtering, cloud firewall, DLP, SSL inspection, sandbox, ATP, cloud app control |
| ZDX | Zscaler Digital Experience | Application/device experience scores, deep traces, alerts, software inventory |
| ZCC | Zscaler Client Connector | Device enrollment, forwarding profiles, trusted networks |
| ZTW | Zscaler Cloud & Branch Connector | IP groups, network services, admin roles |
| ZIdentity | Identity service | Users, groups |
| EASM | External Attack Surface Management | Findings, lookalike domains, asset evidence |
| Z-Insights | Analytics | Web traffic, threat trends, CASB, shadow IT, IoT |
| ZMS | Microsegmentation | Agents, resources, policy rules, tags |
See Services overview for the full per-service tool catalog.
Security-first by design
The server ships with safe defaults and multiple defense-in-depth layers:
- Read-only by default — only
list_*andget_*operations are exposed - Mandatory write allowlist — enabling writes requires both
--enable-write-toolsAND an explicit--write-toolspattern - HMAC-confirmed deletes — destructive actions require a cryptographic confirmation token that prompt-injection cannot forge
- OneAPI entitlement filter — toolsets for unentitled products are silently dropped at startup
- Output sanitization — every tool response is scrubbed of invisible Unicode, HTML, and prompt-injection payloads
- TLS + Host-header validation + Source-IP ACL — for HTTP transports
See Security for the full security model.
Quick links
- Installation — get the server running locally
- Configuration — environment variables and CLI flags
- Authentication — set up your OneAPI credentials
- Quickstart — first prompts in 5 minutes
- Editor integration — wire it into your AI assistant
- Toolsets — load only the tools you need
- Deployment — Docker, Azure, GCP, AWS Bedrock
- Supported tools — complete tool catalog