Zscaler
Zscaler is a cloud security platform that provides secure access to applications and services. The Zscaler connector enables you to send security logs, firewall logs, DNS logs, and other security data to Zscaler Cloud NSS (Network Security Services) for analysis and monitoring. This connector is particularly useful for applications that need to forward security logs, integrate security data with Zscaler, build security analytics solutions, or centralize security log management.
Power end-to-end data operations for your Zscaler API with Nexla. Our bi-directional Zscaler connector is purpose-built for Zscaler, making it simple to ingest data, sync it across systems, and deliver it anywhere — all with no coding required. Nexla turns API-sourced data into ready-to-use, reusable data products and makes it easy to send data to Zscaler or any other destination. With comprehensive monitoring, lineage tracking, and access controls, Nexla keeps your Zscaler workflows fast, secure, and fully governed.
Features
Type: API
- Seamless API Integration: Connect to any endpoint as source or destination without coding, with automatic data product creation
- Visual Composition & Chaining: Build complex integrations using visual templates, chain API calls, and compose workflows with data validation and filtering
- API Proxy: Expose curated slices of your data securely with a secure and customizable API proxy that validates and transforms data on the fly
- Request optimization with intelligent batching, retry, and caching to minimize API calls and costs
Prerequisites
Before creating a Zscaler credential, you'll need to obtain OAuth 2.0 credentials (Client ID and Client Secret) and an authentication token from your Zscaler account. Zscaler Cloud NSS (Network Security Services) uses OAuth 2.0 for API authentication, along with an authentication token for securing API requests.
To obtain Zscaler API credentials:
-
Log in to your Zscaler admin portal. Navigate to your Zscaler ZIA (Zscaler Internet Access) or ZPA (Zscaler Private Access) admin console.
-
Navigate to Administration > Cloud NSS or Settings > Cloud NSS in the Zscaler admin portal.
-
In the Cloud NSS settings, you'll need to configure a feed for log submission. This involves:
- Creating a new Cloud NSS feed or selecting an existing feed
- Configuring the feed type (e.g., Firewall Logs, DNS Logs, SaaS Security Logs, Endpoint DLP Logs)
-
In the feed configuration, you'll receive:
- Base URL: This is the HTTPS URL for log submission services. This is typically provided in the Cloud NSS feed configuration.
- Authentication Token: This is a string authentication token for securing API requests to Zscaler Cloud NSS endpoints via HTTP headers.
-
For OAuth 2.0 credentials (if required):
- Navigate to Administration > API Keys or Settings > API Keys in the Zscaler admin portal.
- Create a new API key or OAuth application to obtain:
- Client ID: A unique public identifier assigned to your application
- Client Secret: A confidential password or key provided alongside the client ID
-
Copy the Base URL, Authentication Token, Client ID, and Client Secret. Store them securely, as you'll need them to authenticate API requests.
Zscaler Cloud NSS uses OAuth 2.0 with client credentials flow (2-legged OAuth) for API authentication, along with an authentication token for securing API requests. The authentication token is sent as an HTTP header, and OAuth 2.0 credentials are used to obtain access tokens. Both are required for Zscaler Cloud NSS API access.
For detailed information about Zscaler Cloud NSS authentication and feed configuration, refer to the Zscaler Cloud NSS Documentation and Zscaler API Documentation.
Authenticate
Credentials required
A direct authentication flow between a client application and server using client credentials, without user interaction
| Field | Required | Secret | Description |
|---|---|---|---|
| Client ID | Yes | No | A unique public identifier assigned to your application for authentication purposes |
| Client Secret | Yes | Yes | A confidential password or key provided alongside the client ID to authenticate your application |
| Authentication Token | Yes | No | String authentication token for securing API requests to Zscaler Cloud NSS endpoints via HTTP headers |
| Base URL | Yes | No | Root URL for log submission services. Must be a valid HTTPS URL. Required parameter. |
Create a credential in Nexla
- After selecting the data source/destination type, click the Add Credential tile to open the Add New Credential overlay.
New Credential Overlay – Zscaler

-
Enter a name for the credential in the Credential Name field and a short, meaningful description in the Credential Description field.
-
In the Client ID field, enter the Client ID that you obtained from your Zscaler API key configuration. This is a unique public identifier assigned to your application for authentication purposes.
-
In the Client Secret field, enter the Client Secret that you obtained from your Zscaler API key configuration. This is a confidential password or key provided alongside the client ID to authenticate your application.
-
In the Authentication Token field, enter the authentication token that you obtained from your Zscaler Cloud NSS feed configuration. This is a string authentication token for securing API requests to Zscaler Cloud NSS endpoints via HTTP headers.
-
In the Base URL field, enter the root URL for log submission services. This must be a valid HTTPS URL. This is typically provided in your Zscaler Cloud NSS feed configuration.
The Client Secret and Authentication Token are sensitive information and should be kept secure. Both are required for Zscaler Cloud NSS API access. The OAuth 2.0 credentials are used to obtain access tokens, and the authentication token is sent as an HTTP header for securing API requests.
-
Click the Save button at the bottom of the overlay. The newly added credential will now appear in a tile on the Authenticate screen during data source/destination creation.
Use as a destination
Click the + icon on the Nexset that will be sent to the Zscaler destination, and select the Send to Destination option from the menu. Select the Zscaler connector from the list of available destination connectors, then select the credential that will be used to connect to the Zscaler instance, and click Next; or, create a new Zscaler credential for use in this flow.
Endpoint templates
Nexla provides pre-built templates that can be used to rapidly configure destinations to send data to common Zscaler Cloud NSS API endpoints. Select the endpoint to which data will be sent from the Endpoint pulldown menu. Then, click on the template in the list below to expand it, and follow the instructions to configure additional endpoint settings.
Once the selected endpoint template has been configured, click the Test button to the right of the endpoint selection menu to send a sample of the data. The response will be displayed in the Endpoint Test Result panel on the right, allowing you to verify that the destination is configured correctly before saving.
Manual configuration
Zscaler destinations can also be manually configured to send data to any valid Zscaler Cloud NSS API endpoint not covered by the pre-built templates. Select the Advanced tab at the top of the configuration screen, and follow the instructions in Connect to Any API to configure the API method, endpoint URL, request headers, and request body template.
All Zscaler Cloud NSS endpoints use the POST method. Endpoint URLs typically follow the pattern {base_url}/services/collector, where {base_url} is the base URL configured in your Zscaler credential. The Authorization header with Bearer token and the authentication token header are automatically included from your credential; Content-Type is set to application/json and Content-Encoding to gzip for ingestion endpoints. The default request body template {message.json} works for most Zscaler Cloud NSS ingestion endpoints, sending the entire record as JSON — customize it only if a specific log type (firewall, DNS, DLP, etc.) requires a different structure.
Save & activate
Once all endpoint settings have been configured, click the Done button in the upper right corner of the screen to save and create the destination. To send the data to the configured Zscaler endpoint, open the destination resource menu, and select Activate.
The Nexset data will not be sent to the Zscaler endpoint until the destination is activated. Destinations can be activated immediately or at a later time, providing full control over data movement.