Skip to main content
Star us on GitHub Star

Edge Management API Reference

Ziti Edge Management (0.26.27)

Download OpenAPI specification:Download

OpenZiti Edge Management API

Informational

Returns version information

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Returns all capabilities this version of the controller is aware of, enabled or not.

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Returns a list of API specs

Returns a list of spec files embedded within the controller for consumption/documentation/code geneartion

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Return a single spec resource

Returns single spec resource embedded within the controller for consumption/documentation/code geneartion

path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Returns the spec's file

Return the body of the specification (i.e. Swagger, OpenAPI 2.0, 3.0, etc).

path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
No sample

Returns a list of accessible resource counts

This endpoint is usefull for UIs that wish to display UI elements with counts.

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Returns version information

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Well Known

Get CA Cert Store

This endpoint is used during enrollments to bootstrap trust between enrolling clients and the Ziti Edge API. This endpoint returns a base64 encoded PKCS7 store. The content can be base64 decoded and parsed by any library that supports parsing PKCS7 stores.

Responses

API Session

List active API sessions

Returns a list of active API sessions. The resources can be sorted, filtered, and paginated. This endpoint requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json; charset=utf-8
{
  • "data": [
    ],
  • "meta": {
    }
}

Retrieves a single API Session

Retrieves a single API Session by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Deletes an API Sessions

Deletes and API sesion by id. Requires admin access.

Authorizations:
ztSession
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Auth Policy

List Auth Policies

Retrieves a list of Auth Policies

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Creates an Auth Policy

Creates an Auth Policy. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An Auth Policy to create

name
required
string
required
object (authPolicyPrimary)
required
object (authPolicySecondary)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "primary": {
    },
  • "secondary": {
    },
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single Auth Policy

Retrieves a single Auth Policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on an Auth Policy

Update all fields on an Auth Policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An Auth Policy update object

name
required
string
required
object (authPolicyPrimary)
required
object (authPolicySecondary)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "primary": {
    },
  • "secondary": {
    },
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete an Auth Policy

Delete an Auth Policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on an Auth Policy

Update only the supplied fields on an Auth Policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An Auth Policy patch object

name
string or null
object (authPolicyPrimaryPatch)
object or null (authPolicySecondaryPatch)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "name": "string",
  • "primary": {
    },
  • "secondary": {
    },
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Authentication

Authenticate via a method supplied via a query string parameter

Allowed authentication methods include "password", "cert", and "ext-jwt"

query Parameters
method
required
string
Enum: "password" "cert" "ext-jwt"
Request Body schema: application/json
configTypes
Array of strings (configTypes)

Specific configuration types that should be returned

object (envInfo)

Environment information an authenticating client may provide

password
string (password) [ 5 .. 100 ] characters
object (sdkInfo)

SDK information an authenticating client may provide

username
string (username) [ 4 .. 100 ] characters

Responses

Request samples

Content type
application/json
{
  • "configTypes": [
    ],
  • "envInfo": {
    },
  • "password": "string",
  • "sdkInfo": {
    },
  • "username": "string"
}

Response samples

Content type
{
  • "data": {
    },
  • "meta": {
    }
}

Complete MFA authentication

Completes MFA authentication by submitting a MFA time based one time token or backup code.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

MFA

Complete MFA authentication

Completes MFA authentication by submitting a MFA time based one time token or backup code.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Returns the current status of MFA enrollment

Returns details about the current MFA enrollment. If enrollment has not been completed it will return the current MFA configuration details necessary to complete a POST /current-identity/mfa/verify.

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Initiate MFA enrollment

Allows authenticator based MFA enrollment. If enrollment has already been completed, it must be disabled before attempting to re-enroll. Subsequent enrollment request is completed via POST /current-identity/mfa/verify

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Disable MFA for the current identity

Disable MFA for the current identity. Requires a current valid time based one time password if MFA enrollment has been completed. If not, code should be an empty string. If one time passwords are not available and admin account can be used to remove MFA from the identity via DELETE /identities/<id>/mfa.

Authorizations:
ztSessionoauth2
header Parameters
mfa-validation-code
string

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Show a QR code for unverified MFA enrollments

Shows an QR code image for unverified MFA enrollments. 404s if the MFA enrollment has been completed or not started.

Authorizations:
ztSessionoauth2

Responses

For a completed MFA enrollment view the current recovery codes

Allows the viewing of recovery codes of an MFA enrollment. Requires a current valid time based one time password to interact with. Available after a completed MFA enrollment.

Authorizations:
ztSessionoauth2
header Parameters
mfa-validation-code
string
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

For a completed MFA enrollment regenerate the recovery codes

Allows regeneration of recovery codes of an MFA enrollment. Requires a current valid time based one time password to interact with. Available after a completed MFA enrollment. This replaces all existing recovery codes.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Complete MFA enrollment by verifying a time based one time token

Completes MFA enrollment by accepting a time based one time password as verification. Called after MFA enrollment has been initiated via POST /current-identity/mfa.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Remove MFA from an identitity

Allows an admin to remove MFA enrollment from a specific identity. Requires admin.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Authenticator

List authenticators

Returns a list of authenticators associated to identities. The resources can be sorted, filtered, and paginated. This endpoint requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Creates an authenticator

Creates an authenticator for a specific identity. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A Authenticator create object

certPem
string

The client certificate the identity will login with. Used only for method='cert'

identityId
required
string

The id of an existing identity that will be assigned this authenticator

method
required
string

The type of authenticator to create; which will dictate which properties on this object are required.

password
string

The password the identity will login with. Used only for method='updb'

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

username
string

The username that the identity will login with. Used only for method='updb'

Responses

Request samples

Content type
application/json
{
  • "certPem": "string",
  • "identityId": "string",
  • "method": "string",
  • "password": "string",
  • "tags": {
    },
  • "username": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single authenticator

Retrieves a single authenticator by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on an authenticator

Update all fields on an authenticator by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An authenticator put object

password
required
string (password) [ 5 .. 100 ] characters
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

username
required
string (username) [ 4 .. 100 ] characters

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "tags": {
    },
  • "username": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete an Authenticator

Delete an authenticator by id. Deleting all authenticators for an identity will make it impossible to log in. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on an authenticator

Update the supplied fields on an authenticator by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An authenticator patch object

password
string or null (passwordNullable) [ 5 .. 100 ] characters
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

username
string or null (usernameNullable) [ 4 .. 100 ] characters

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "tags": {
    },
  • "username": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Reverts an authenticator to an enrollment

Allows an authenticator to be reverted to an enrollment and allows re-enrollment to occur. On success the created enrollment record response is provided and the source authenticator record will be deleted. The enrollment created depends on the authenticator. UPDB authenticators result in UPDB enrollments, CERT authenticators result in OTT enrollments, CERT + CA authenticators result in OTTCA enrollments.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A reEnrollment request

expiresAt
required
string <date-time>

Responses

Request samples

Content type
application/json
{
  • "expiresAt": "2019-08-24T14:15:22Z"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Certificate Authority

List CAs

Retrieves a list of CA resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Creates a CA

Creates a CA in an unverified state. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A CA to create

certPem
required
string
object (externalIdClaim)
identityNameFormat
string
identityRoles
required
Array of strings (roles)
isAuthEnabled
required
boolean
isAutoCaEnrollmentEnabled
required
boolean
isOttCaEnrollmentEnabled
required
boolean
name
required
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "certPem": "-----BEGIN CERTIFICATE-----\nMIICUjCCAdmgAwIBAgIJANooo7NB+dZZMAoGCCqGSM49BAMCMF4xCzAJBgNVBAYT\nAlVTMQswCQYDVQQIDAJOQzETMBEGA1UECgwKTmV0Rm91bmRyeTEtMCsGA1UEAwwk\nTmV0Rm91bmRyeSBaaXRpIEV4dGVybmFsIEFQSSBSb290IENBMB4XDTE4MTExNTEy\nNTcwOVoXDTM4MTExMDEyNTcwOVowXjELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5D\nMRMwEQYDVQQKDApOZXRGb3VuZHJ5MS0wKwYDVQQDDCROZXRGb3VuZHJ5IFppdGkg\nRXh0ZXJuYWwgQVBJIFJvb3QgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAARwq61Z\nIaqbaw0PDt3frJZaHjkxfZhwYrykI1GlbRNd/jix03lVG9qvpN5Og9fQfFFcFmD/\n3vCE9S6O0npm0mADQxcBcxbMRAH5dtBuCuiJW6qAAbPgiM32vqSxBiFt0KejYzBh\nMB0GA1UdDgQWBBRx1OVGuc/jdltDc8YBtkw8Tbr4fjAfBgNVHSMEGDAWgBRx1OVG\nuc/jdltDc8YBtkw8Tbr4fjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB\nhjAKBggqhkjOPQQDAgNnADBkAjBDRxNZUaIVpkQKnAgJukl3ysd3/i7Z6hDyIEms\nkllz/+ZvmdBp9iedV5o5BvJUggACMCv+UBFlJH7pmsOCo/F45Kk178YsCC7gaMxE\n1ZG1zveyMvsYsH04C9FndE6w2MLvlA==\n-----END CERTIFICATE-----\n",
  • "externalIdClaim": {
    },
  • "identityNameFormat": "string",
  • "identityRoles": [
    ],
  • "isAuthEnabled": true,
  • "isAutoCaEnrollmentEnabled": true,
  • "isOttCaEnrollmentEnabled": true,
  • "name": "Test 3rd Party External CA",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single CA

Retrieves a single CA by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a CA

Update all fields on a CA by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A CA update object

object (externalIdClaim)
identityNameFormat
required
string
identityRoles
required
Array of strings (roles)
isAuthEnabled
required
boolean
isAutoCaEnrollmentEnabled
required
boolean
isOttCaEnrollmentEnabled
required
boolean
name
required
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "externalIdClaim": {
    },
  • "identityNameFormat": "string",
  • "identityRoles": [
    ],
  • "isAuthEnabled": true,
  • "isAutoCaEnrollmentEnabled": true,
  • "isOttCaEnrollmentEnabled": true,
  • "name": "My CA",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a CA

Delete a CA by id. Deleting a CA will delete its associated certificate authenticators. This can make it impossible for identities to authenticate if they no longer have any valid authenticators. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a CA

Update only the supplied fields on a CA by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A CA patch object

object (externalIdClaimPatch)
identityNameFormat
string or null
identityRoles
Array of strings (roles)
isAuthEnabled
boolean or null
isAutoCaEnrollmentEnabled
boolean or null
isOttCaEnrollmentEnabled
boolean or null
name
string or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "externalIdClaim": {
    },
  • "identityNameFormat": "string",
  • "identityRoles": [
    ],
  • "isAuthEnabled": true,
  • "isAutoCaEnrollmentEnabled": true,
  • "isOttCaEnrollmentEnabled": true,
  • "name": "My CA",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Retrieve the enrollment JWT for a CA

For CA auto enrollment, the enrollment JWT is static and provided on each CA resource. This endpoint provides the jwt as a text response.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/jwt
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbSI6ImNhIiwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6MTI 4MC8ifQ.Ot6lhNBSOw8ygHytdI5l7WDf9EWadOj44UPvJ0c-8mJ54fClWM3uMZrAHSSfV6KmOSZOeBBJe4VlNyoD-_MOECP0BzYSnSQP3E zJb0VlM-fFmGcKNGW157icyZNISfO43JL_Lw2QPBzTgikqSIj9eZnocC3BeAmZCHsVznnLfHWqDldcmuxnu-5MNOSrWV1x9iVcgLFlLHXK 2PLA4qIiZmlQTrQjpHJmUaoJ07mnj8hMKzxB3wBG8kpazjEo7HDRCO06aBH4eqFgf_l0iT8Dzcb31jquWMGUoSXPhf4lVJh_FiNcR1wVx- UiHLbG5h23Aqf1UJF-F38rc1FElKz0Zg

Verify a CA

Allows a CA to become verified by submitting a certificate in PEM format that has been signed by the target CA. The common name on the certificate must match the verificationToken property of the CA. Unverfieid CAs can not be used for enrollment/authentication. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: text/plain

A PEM formatted certificate signed by the target CA with the common name matching the CA's validationToken

string

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Config

List config-types

Retrieves a list of config-type resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a config-type. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A config-type to create

name
required
string
object

A JSON schema to enforce configuration against

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "name": "ziti-tunneler-server.v1",
  • "schema": { },
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single config-type

Retrieves a single config-type by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a config-type

Update all fields on a config-type by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A config-type update object

name
required
string
object

A JSON schema to enforce configuration against

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "name": "ziti-tunneler-server.v1",
  • "schema": { },
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a config-type

Delete a config-type by id. Removing a configuration type that are in use will result in a 409 conflict HTTP status code and error. All configurations of a type must be removed first.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a config-type

Update the supplied fields on a config-type. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A config-type patch object

name
string
object

A JSON schema to enforce configuration against

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "name": "ziti-tunneler-server.v1",
  • "schema": { },
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Lists the configs of a specific config-type

Lists the configs associated to a config-type. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List configs

Retrieves a list of config resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a config resource

Create a config resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A config to create

configTypeId
required
string

The id of a config-type that the data section will match

required
object

Data payload is defined by the schema of the config-type defined in the type parameter

name
required
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "configTypeId": "cea49285-6c07-42cf-9f52-09a9b115c783",
  • "data": {
    },
  • "name": "test-config"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single config

Retrieves a single config by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a config

Update all fields on a config by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A config update object

required
object

Data payload is defined by the schema of the config-type defined in the type parameter

name
required
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "data": {
    },
  • "name": "example-config-name"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a config

Delete a config by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a config

Update the supplied fields on a config. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A config patch object

object

Data payload is defined by the schema of the config-type defined in the type parameter

name
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "data": {
    },
  • "name": "example-config-name"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List services referenced by a config

Retrieves a list of service resources that reference a given config; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Controllers

List controllers

Retrieves a list of controllers

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Current API Session

Return the current API session

Retrieves the API session that was used to issue the current request

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
{
  • "data": {
    },
  • "meta": {
    }
}

Logout

Terminates the current API session

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List authenticators for the current identity

Retrieves a list of authenticators assigned to the current API session's identity; supports filtering, sorting, and pagination.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Retrieve an authenticator for the current identity

Retrieves a single authenticator by id. Will only show authenticators assigned to the API session's identity.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on an authenticator of this identity

Update all fields on an authenticator by id. Will only update authenticators assigned to the API session's identity.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An authenticator put object

password
required
string (password) [ 5 .. 100 ] characters
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

username
required
string (username) [ 4 .. 100 ] characters
currentPassword
required
string (password) [ 5 .. 100 ] characters

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "tags": {
    },
  • "username": "string",
  • "currentPassword": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on an authenticator of this identity

Update the supplied fields on an authenticator by id. Will only update authenticators assigned to the API session's identity.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An authenticator patch object

password
string or null (passwordNullable) [ 5 .. 100 ] characters
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

username
string or null (usernameNullable) [ 4 .. 100 ] characters
currentPassword
required
string (password) [ 5 .. 100 ] characters

Responses

Request samples

Content type
application/json
{
  • "password": "string",
  • "tags": {
    },
  • "username": "string",
  • "currentPassword": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Allows the current identity to recieve a new certificate associated with a certificate based authenticator

This endpoint only functions for certificates issued by the controller. 3rd party certificates are not handled. Allows an identity to extend its certificate's expiration date by using its current and valid client certificate to submit a CSR. This CSR may be passed in using a new private key, thus allowing private key rotation. The response from this endpoint is a new client certificate which the client must be verified via the /authenticators/{id}/extend-verify endpoint. After verification is completion any new connections must be made with new certificate. Prior to verification the old client certificate remains active.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json
clientCertCsr
required
string

Responses

Request samples

Content type
application/json
{
  • "clientCertCsr": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Allows the current identity to validate reciept of a new client certificate

After submitting a CSR for a new client certificate the resulting public certificate must be re-submitted to this endpoint to verify receipt. After receipt, the new client certificate must be used for new authentication requests.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json
clientCert
required
string

A PEM encoded client certificate previously returned after an extension request

Responses

Request samples

Content type
application/json
{
  • "clientCert": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Current Identity

Return the current identity

Returns the identity associated with the API sessions used to issue the current request

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
{
  • "data": {
    },
  • "meta": {
    }
}

Returns the current status of MFA enrollment

Returns details about the current MFA enrollment. If enrollment has not been completed it will return the current MFA configuration details necessary to complete a POST /current-identity/mfa/verify.

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Initiate MFA enrollment

Allows authenticator based MFA enrollment. If enrollment has already been completed, it must be disabled before attempting to re-enroll. Subsequent enrollment request is completed via POST /current-identity/mfa/verify

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Disable MFA for the current identity

Disable MFA for the current identity. Requires a current valid time based one time password if MFA enrollment has been completed. If not, code should be an empty string. If one time passwords are not available and admin account can be used to remove MFA from the identity via DELETE /identities/<id>/mfa.

Authorizations:
ztSessionoauth2
header Parameters
mfa-validation-code
string

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Show a QR code for unverified MFA enrollments

Shows an QR code image for unverified MFA enrollments. 404s if the MFA enrollment has been completed or not started.

Authorizations:
ztSessionoauth2

Responses

For a completed MFA enrollment view the current recovery codes

Allows the viewing of recovery codes of an MFA enrollment. Requires a current valid time based one time password to interact with. Available after a completed MFA enrollment.

Authorizations:
ztSessionoauth2
header Parameters
mfa-validation-code
string
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

For a completed MFA enrollment regenerate the recovery codes

Allows regeneration of recovery codes of an MFA enrollment. Requires a current valid time based one time password to interact with. Available after a completed MFA enrollment. This replaces all existing recovery codes.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Complete MFA enrollment by verifying a time based one time token

Completes MFA enrollment by accepting a time based one time password as verification. Called after MFA enrollment has been initiated via POST /current-identity/mfa.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An MFA validation request

code
required
string

Responses

Request samples

Content type
application/json
{
  • "code": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Enroll

Allows the current identity to recieve a new certificate associated with a certificate based authenticator

This endpoint only functions for certificates issued by the controller. 3rd party certificates are not handled. Allows an identity to extend its certificate's expiration date by using its current and valid client certificate to submit a CSR. This CSR may be passed in using a new private key, thus allowing private key rotation. The response from this endpoint is a new client certificate which the client must be verified via the /authenticators/{id}/extend-verify endpoint. After verification is completion any new connections must be made with new certificate. Prior to verification the old client certificate remains active.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json
clientCertCsr
required
string

Responses

Request samples

Content type
application/json
{
  • "clientCertCsr": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Allows the current identity to validate reciept of a new client certificate

After submitting a CSR for a new client certificate the resulting public certificate must be re-submitted to this endpoint to verify receipt. After receipt, the new client certificate must be used for new authentication requests.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json
clientCert
required
string

A PEM encoded client certificate previously returned after an extension request

Responses

Request samples

Content type
application/json
{
  • "clientCert": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Extend Enrollment

Allows the current identity to recieve a new certificate associated with a certificate based authenticator

This endpoint only functions for certificates issued by the controller. 3rd party certificates are not handled. Allows an identity to extend its certificate's expiration date by using its current and valid client certificate to submit a CSR. This CSR may be passed in using a new private key, thus allowing private key rotation. The response from this endpoint is a new client certificate which the client must be verified via the /authenticators/{id}/extend-verify endpoint. After verification is completion any new connections must be made with new certificate. Prior to verification the old client certificate remains active.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json
clientCertCsr
required
string

Responses

Request samples

Content type
application/json
{
  • "clientCertCsr": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Allows the current identity to validate reciept of a new client certificate

After submitting a CSR for a new client certificate the resulting public certificate must be re-submitted to this endpoint to verify receipt. After receipt, the new client certificate must be used for new authentication requests.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json
clientCert
required
string

A PEM encoded client certificate previously returned after an extension request

Responses

Request samples

Content type
application/json
{
  • "clientCert": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Database

Starts a data integrity scan on the datastore

Starts a data integrity scan on the datastore. Requires admin access. Only once instance may run at a time, including runs of fixDataIntegrity.

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Returns any results found from in-progress integrity checks

Returns any results found from in-progress integrity checks. Requires admin access.

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Runs a data integrity scan on the datastore, attempts to fix any issues it can and returns any found issues

Runs a data integrity scan on the datastore, attempts to fix any issues it can, and returns any found issues. Requires admin access. Only once instance may run at a time, including runs of checkDataIntegrity.

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Create a new database snapshot

Create a new database snapshot. Requires admin access.

Authorizations:
ztSessionoauth2

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Edge Router Policy

List edge router policies

Retrieves a list of edge router policy resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create an edge router policy resource

Create an edge router policy resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An edge router policy to create

edgeRouterRoles
Array of strings (roles)
identityRoles
Array of strings (roles)
name
required
string
semantic
required
string (semantic)
Enum: "AllOf" "AnyOf"
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "edgeRouterRoles": [
    ],
  • "identityRoles": [
    ],
  • "name": "string",
  • "semantic": "AllOf",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single edge router policy

Retrieves a single edge router policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on an edge router policy

Update all fields on an edge router policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An edge router policy update object

edgeRouterRoles
Array of strings (roles)
identityRoles
Array of strings (roles)
name
required
string
semantic
required
string (semantic)
Enum: "AllOf" "AnyOf"
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "edgeRouterRoles": [
    ],
  • "identityRoles": [
    ],
  • "name": "string",
  • "semantic": "AllOf",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete an edge router policy

Delete an edge router policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on an edge router policy

Update the supplied fields on an edge router policy. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An edge router policy patch object

edgeRouterRoles
Array of strings (roles)
identityRoles
Array of strings (roles)
name
string
semantic
string (semantic)
Enum: "AllOf" "AnyOf"
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "edgeRouterRoles": [
    ],
  • "identityRoles": [
    ],
  • "name": "string",
  • "semantic": "AllOf",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List edge routers a policy affects

Retrieves a list of edge routers an edge router policy resources affects; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List identities an edge router policy affects

Retrieves a list of identities an edge router policy resources affects; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Role Attributes

List role attributes in use by edge routers

Retrieves a list of role attributes in use by edge routers; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List role attributes in use by identities

Retrieves a list of role attributes in use by identities; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List role attributes in use by posture checks

Retrieves a list of role attributes in use by posture checks; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List role attributes in use by services

Retrieves a list of role attributes in use by services; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Edge Router

List edge routers

Retrieves a list of edge router resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string
roleFilter
Array of strings
roleSemantic
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create an edge router

Create a edge router resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A edge router to create

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
isTunnelerEnabled
boolean
name
required
string
noTraversal
boolean or null
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "appData": {
    },
  • "cost": 65535,
  • "disabled": true,
  • "isTunnelerEnabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "roleAttributes": [
    ],
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single edge router

Retrieves a single edge router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on an edge router

Update all fields on an edge router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An edge router update object

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
isTunnelerEnabled
boolean
name
required
string
noTraversal
boolean or null
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "appData": {
    },
  • "cost": 65535,
  • "disabled": true,
  • "isTunnelerEnabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "roleAttributes": [
    ],
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete an edge router

Delete an edge router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on an edge router

Update the supplied fields on an edge router. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An edge router patch object

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
isTunnelerEnabled
boolean
name
string or null
noTraversal
boolean or null
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "appData": {
    },
  • "cost": 65535,
  • "disabled": true,
  • "isTunnelerEnabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "roleAttributes": [
    ],
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List the edge router policies that affect an edge router

Retrieves a list of edge router policies that apply to the specified edge router.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List associated identities

Retrieves a list of identities that may access services via the given edge router. Supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Re-enroll an edge router

Removes current certificate based authentication mechanisms and reverts the edge router into a state where enrollment must be performed. The router retains all other properties and associations. If the router is currently connected, it will be disconnected and any attemps to reconnect will fail until the enrollment process is completed with the newly generated JWT.

If the edge router has an existing outstanding enrollment JWT it will be replaced. The previous JWT will no longer be usable to complete the enrollment process.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List the service policies that affect an edge router

Retrieves a list of service policies policies that apply to the specified edge router.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List associated services

Retrieves a list of services that may be accessed via the given edge router. Supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Enrollment

List outstanding enrollments

Retrieves a list of outstanding enrollments; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create an outstanding enrollment for an identity

Creates a new OTT, OTTCA, or UPDB enrollment for a specific identity. If an enrollment of the same type is already outstanding the request will fail with a 409 conflict. If desired, an existing enrollment can be refreshed by enrollments/:id/refresh or deleted.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An enrollment to create

caId
string or null
expiresAt
required
string <date-time>
identityId
required
string
method
required
string
Enum: "ott" "ottca" "updb"
username
string or null

Responses

Request samples

Content type
application/json
{
  • "caId": "string",
  • "expiresAt": "2019-08-24T14:15:22Z",
  • "identityId": "string",
  • "method": "ott",
  • "username": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves an outstanding enrollment

Retrieves a single outstanding enrollment by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Delete an outstanding enrollment

Delete an outstanding enrollment by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Refreshes an enrollment record's expiration window

For expired or unexpired enrollments, reset the expiration window. A new JWT will be generated and must be used for the enrollment.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An enrollment refresh request

expiresAt
required
string <date-time>

Responses

Request samples

Content type
application/json
{
  • "expiresAt": "2019-08-24T14:15:22Z"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

External JWT Signer

List External JWT Signers

Retrieves a list of external JWT signers for authentication

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Creates an External JWT Signer

Creates an External JWT Signer. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An External JWT Signer to create

audience
required
string or null
certPem
string or null
claimsProperty
string or null
clientId
string or null
enabled
required
boolean
externalAuthUrl
string or null <url>
issuer
required
string
jwksEndpoint
string or null <uri>
kid
string or null
name
required
string
scopes
Array of strings or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

useExternalId
boolean or null

Responses

Request samples

Content type
application/json
{
  • "audience": "string",
  • "certPem": "string",
  • "claimsProperty": "string",
  • "clientId": "string",
  • "enabled": true,
  • "externalAuthUrl": "string",
  • "issuer": "string",
  • "jwksEndpoint": "http://example.com",
  • "kid": "string",
  • "name": "MyApps Signer",
  • "scopes": [
    ],
  • "tags": {
    },
  • "useExternalId": true
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single External JWT Signer

Retrieves a single External JWT Signer by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on an External JWT Signer

Update all fields on an External JWT Signer by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An External JWT Signer update object

audience
required
string or null
certPem
string or null
claimsProperty
string or null
clientId
string or null
enabled
required
boolean
externalAuthUrl
string or null <url>
issuer
required
string
jwksEndpoint
string or null <uri>
kid
string or null
name
required
string
scopes
Array of strings or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

useExternalId
boolean or null

Responses

Request samples

Content type
application/json
{
  • "audience": "string",
  • "certPem": "string",
  • "claimsProperty": "string",
  • "clientId": "string",
  • "enabled": true,
  • "externalAuthUrl": "string",
  • "issuer": "string",
  • "jwksEndpoint": "http://example.com",
  • "kid": "string",
  • "name": "MyApps Signer",
  • "scopes": [
    ],
  • "tags": {
    },
  • "useExternalId": true
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete an External JWT Signer

Delete an External JWT Signer by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on an External JWT Signer

Update only the supplied fields on an External JWT Signer by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An External JWT Signer patch object

audience
string or null
certPem
string or null
claimsProperty
string or null
clientId
string or null
enabled
boolean or null
externalAuthUrl
string or null <url>
issuer
string or null
jwksEndpoint
string or null <uri>
kid
string or null
name
string or null
scopes
Array of strings
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

useExternalId
boolean or null

Responses

Request samples

Content type
application/json
{
  • "audience": "string",
  • "certPem": "string",
  • "claimsProperty": "string",
  • "clientId": "string",
  • "enabled": true,
  • "externalAuthUrl": "string",
  • "issuer": "string",
  • "jwksEndpoint": "http://example.com",
  • "kid": "string",
  • "name": "MyApps Signer",
  • "scopes": [
    ],
  • "tags": {
    },
  • "useExternalId": true
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Identity

List identities

Retrieves a list of identity resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string
roleFilter
Array of strings
roleSemantic
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create an identity resource

Create an identity resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

An identity to create

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

authPolicyId
string or null
defaultHostingCost
integer (terminatorCost) [ 0 .. 65535 ]
defaultHostingPrecedence
string (terminatorPrecedence)
Enum: "default" "required" "failed"
object
externalId
string or null
isAdmin
required
boolean
name
required
string
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object (terminatorCostMap)
object (terminatorPrecedenceMap)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

type
required
string (identityType)
Enum: "User" "Device" "Service" "Router" "Default"

Responses

Request samples

Content type
application/json
{
  • "appData": {
    },
  • "authPolicyId": "string",
  • "defaultHostingCost": 65535,
  • "defaultHostingPrecedence": "default",
  • "enrollment": {
    },
  • "externalId": "string",
  • "isAdmin": true,
  • "name": "string",
  • "roleAttributes": [
    ],
  • "serviceHostingCosts": {
    },
  • "serviceHostingPrecedences": {
    },
  • "tags": {
    },
  • "type": "User"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single identity

Retrieves a single identity by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on an identity

Update all fields on an identity by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An identity update object

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

authPolicyId
string or null
defaultHostingCost
integer (terminatorCost) [ 0 .. 65535 ]
defaultHostingPrecedence
string (terminatorPrecedence)
Enum: "default" "required" "failed"
externalId
string or null
isAdmin
required
boolean
name
required
string
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object (terminatorCostMap)
object (terminatorPrecedenceMap)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

type
required
string (identityType)
Enum: "User" "Device" "Service" "Router" "Default"

Responses

Request samples

Content type
application/json
{
  • "appData": {
    },
  • "authPolicyId": "string",
  • "defaultHostingCost": 65535,
  • "defaultHostingPrecedence": "default",
  • "externalId": "string",
  • "isAdmin": true,
  • "name": "string",
  • "roleAttributes": [
    ],
  • "serviceHostingCosts": {
    },
  • "serviceHostingPrecedences": {
    },
  • "tags": {
    },
  • "type": "User"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete an identity

Delete an identity by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on an identity

Update the supplied fields on an identity. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An identity patch object

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

authPolicyId
string or null
defaultHostingCost
integer (terminatorCost) [ 0 .. 65535 ]
defaultHostingPrecedence
string (terminatorPrecedence)
Enum: "default" "required" "failed"
externalId
string or null
isAdmin
boolean or null
name
string or null
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object (terminatorCostMap)
object (terminatorPrecedenceMap)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

type
string (identityType)
Enum: "User" "Device" "Service" "Router" "Default"

Responses

Request samples

Content type
application/json
{
  • "appData": {
    },
  • "authPolicyId": "string",
  • "defaultHostingCost": 65535,
  • "defaultHostingPrecedence": "default",
  • "externalId": "string",
  • "isAdmin": true,
  • "name": "string",
  • "roleAttributes": [
    ],
  • "serviceHostingCosts": {
    },
  • "serviceHostingPrecedences": {
    },
  • "tags": {
    },
  • "type": "User"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Retrieve the current authenticators of a specific identity

Returns a list of authenticators associated to the identity specified

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Set an identity as disabled

Reject an identity's API session requests for N minutes or indefinitely if 0.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

Disable parameters

durationMinutes
required
integer

Responses

Request samples

Content type
application/json
{
  • "durationMinutes": 0
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List the edge router policies that affect an identity

Retrieves a list of edge router policies that apply to the specified identity.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List accessible edge-routers

Retrieves a list of edge-routers that the given identity may use to access services. Supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Clears all disabled state from an identity

Allows an admin to remove disabled statuses from an identity.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Retrieve the current enrollments of a specific identity

Returns a list of enrollments associated to the identity specified

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Retrieve a list of the most recent service failure requests due to posture checks

Returns a list of service session requests that failed due to posture checks. The entries will contain every policy that was verified against and every failed check in each policy. Each check will include the historical posture data and posture check configuration.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Remove MFA from an identitity

Allows an admin to remove MFA enrollment from a specific identity. Requires admin.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Analyze policies relating the given identity and service

Analyzes policies to see if the given identity should be able to dial or bind the given service. | Will check services policies to see if the identity can access the service. Will check edge router policies | to check if the identity and service have access to common edge routers so that a connnection can be made. | Will also check if at least one edge router is on-line. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

serviceId
required
string

The id of a service

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieve the curent posture data for a specific identity.

Returns a nested map data represeting the posture data of the identity. This data should be considered volatile.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

List the service configs associated a specific identity

Retrieves a list of service configs associated to a specific identity

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Associate service configs for a specific identity

Associate service configs to a specific identity

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A service config patch object

Array
configId
required
string
serviceId
required
string

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Remove associated service configs from a specific identity

Remove service configs from a specific identity

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

An array of service and config id pairs to remove

Array
configId
required
string
serviceId
required
string

Responses

Request samples

Content type
application/json
[
  • {
    }
]

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List the service policies that affect an identity

Retrieves a list of service policies that apply to the specified identity.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List accessible services

Retrieves a list of services that the given identity has access to. Supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
filter
string
policyType
string
Enum: "dial" "bind"

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Enable/disable data flow tracing for an identity

Allows an admin to enable/disable data flow tracing for an identity

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A traceSpec object

channels
Array of strings
duration
string
enabled
boolean
traceId
string

Responses

Request samples

Content type
application/json
{
  • "channels": [
    ],
  • "duration": "string",
  • "enabled": true,
  • "traceId": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

List available identity types

Retrieves a list of identity types; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Retrieves a identity type

Retrieves a single identity type by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Tracing

Enable/disable data flow tracing for an identity

Allows an admin to enable/disable data flow tracing for an identity

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A traceSpec object

channels
Array of strings
duration
string
enabled
boolean
traceId
string

Responses

Request samples

Content type
application/json
{
  • "channels": [
    ],
  • "duration": "string",
  • "enabled": true,
  • "traceId": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Posture Checks

List a subset of posture check types

Retrieves a list of posture check types

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json; charset=utf-8
{
  • "data": [
    ],
  • "meta": {
    }
}

Retrieves a single posture check type

Retrieves a single posture check type by id

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

List a subset of posture checks

Retrieves a list of posture checks

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string
roleFilter
Array of strings
roleSemantic
string

Responses

Response samples

Content type
application/json; charset=utf-8
{
  • "data": [
    ],
  • "meta": {
    }
}

Creates a Posture Checks

Creates a Posture Checks

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A Posture Check to create

name
required
string
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

typeId
required
string (postureCheckType)
domains
required
Array of strings non-empty

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "roleAttributes": [
    ],
  • "tags": {
    },
  • "typeId": "postureCheckDomainCreate",
  • "domains": [
    ]
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single Posture Checks

Retrieves a single Posture Checks by id

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a Posture Checks

Update all fields on a Posture Checks by id

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A Posture Check update object

name
required
string
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

typeId
string (postureCheckType)
domains
required
Array of strings non-empty

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "roleAttributes": [
    ],
  • "tags": {
    },
  • "typeId": "postureCheckDomainUpdate",
  • "domains": [
    ]
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Deletes an Posture Checks

Deletes and Posture Checks by id

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a Posture Checks

Update only the supplied fields on a Posture Checks by id

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A Posture Check patch object

name
string
roleAttributes
Array of strings or null (attributes)

A set of strings used to loosly couple this resource to policies

object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

typeId
required
string (postureCheckType)
domains
Array of strings non-empty

Responses

Request samples

Content type
application/json
Example
{
  • "name": "string",
  • "roleAttributes": [
    ],
  • "tags": {
    },
  • "typeId": "postureCheckDomainPatch",
  • "domains": [
    ]
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Router

List routers

Retrieves a list of router resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a router resource

Create a router resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A router to create

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
name
required
string
noTraversal
boolean or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "cost": 65535,
  • "disabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single router

Retrieves a single router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a router

Update all fields on a router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A router update object

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
name
required
string
noTraversal
boolean or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "cost": 65535,
  • "disabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a router

Delete a router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a router

Update the supplied fields on a router. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A router patch object

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
name
string
noTraversal
boolean or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "cost": 65535,
  • "disabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List routers

Retrieves a list of router resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a router resource

Create a router resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A router to create

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
name
required
string
noTraversal
boolean or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "cost": 65535,
  • "disabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single router

Retrieves a single router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a router

Update all fields on a router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A router update object

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
name
required
string
noTraversal
boolean or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "cost": 65535,
  • "disabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a router

Delete a router by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a router

Update the supplied fields on a router. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A router patch object

cost
integer or null [ 0 .. 65535 ]
disabled
boolean or null
name
string
noTraversal
boolean or null
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "cost": 65535,
  • "disabled": true,
  • "name": "string",
  • "noTraversal": true,
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Service Edge Router Policy

List service edge router policies

Retrieves a list of service edge router policy resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a service edge router policy resource

Create a service edge router policy resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A service edge router policy to create

edgeRouterRoles
Array of strings (roles)
name
required
string
semantic
required
string (semantic)
Enum: "AllOf" "AnyOf"
serviceRoles
Array of strings (roles)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "edgeRouterRoles": [
    ],
  • "name": "string",
  • "semantic": "AllOf",
  • "serviceRoles": [
    ],
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single service edge policy

Retrieves a single service edge policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a service edge policy

Update all fields on a service edge policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A service edge router policy update object

edgeRouterRoles
Array of strings (roles)
name
required
string
semantic
required
string (semantic)
Enum: "AllOf" "AnyOf"
serviceRoles
Array of strings (roles)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "edgeRouterRoles": [
    ],
  • "name": "string",
  • "semantic": "AllOf",
  • "serviceRoles": [
    ],
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a service edge policy

Delete a service edge policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a service edge policy

Update the supplied fields on a service edge policy. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A service edge router policy patch object

edgeRouterRoles
Array of strings (roles)
name
string
semantic
string (semantic)
Enum: "AllOf" "AnyOf"
serviceRoles
Array of strings (roles)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "edgeRouterRoles": [
    ],
  • "name": "string",
  • "semantic": "AllOf",
  • "serviceRoles": [
    ],
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List the edge routers that a service edge router policy applies to

List the edge routers that a service edge router policy applies to

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List the services that a service edge router policy applies to

List the services that a service edge router policy applies to

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Service Policy

List service policies

Retrieves a list of service policy resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a service policy resource

Create a service policy resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A service policy to create

identityRoles
Array of strings (roles)
name
required
string
postureCheckRoles
Array of strings (roles)
semantic
required
string (semantic)
Enum: "AllOf" "AnyOf"
serviceRoles
Array of strings (roles)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

type
required
string (dialBind)
Enum: "Dial" "Bind" "Invalid"

Responses

Request samples

Content type
application/json
{
  • "identityRoles": [
    ],
  • "name": "string",
  • "postureCheckRoles": [
    ],
  • "semantic": "AllOf",
  • "serviceRoles": [
    ],
  • "tags": {
    },
  • "type": "Dial"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single service policy

Retrieves a single service policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a service policy

Update all fields on a service policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A service policy update object

identityRoles
Array of strings (roles)
name
required
string
postureCheckRoles
Array of strings (roles)
semantic
required
string (semantic)
Enum: "AllOf" "AnyOf"
serviceRoles
Array of strings (roles)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

type
required
string (dialBind)
Enum: "Dial" "Bind" "Invalid"

Responses

Request samples

Content type
application/json
{
  • "identityRoles": [
    ],
  • "name": "string",
  • "postureCheckRoles": [
    ],
  • "semantic": "AllOf",
  • "serviceRoles": [
    ],
  • "tags": {
    },
  • "type": "Dial"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a service policy

Delete a service policy by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a service policy

Update the supplied fields on a service policy. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A service policy patch object

identityRoles
Array of strings (roles)
name
string
postureCheckRoles
Array of strings (roles)
semantic
string (semantic)
Enum: "AllOf" "AnyOf"
serviceRoles
Array of strings (roles)
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

type
string (dialBind)
Enum: "Dial" "Bind" "Invalid"

Responses

Request samples

Content type
application/json
{
  • "identityRoles": [
    ],
  • "name": "string",
  • "postureCheckRoles": [
    ],
  • "semantic": "AllOf",
  • "serviceRoles": [
    ],
  • "tags": {
    },
  • "type": "Dial"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List identities a service policy affects

Retrieves a list of identity resources that are affected by a service policy; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List posture check a service policy includes

Retrieves a list of posture check resources that are affected by a service policy; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List services a service policy affects

Retrieves a list of service resources that are affected by a service policy; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Service

List services

Retrieves a list of config resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string
configTypes
Array of strings
roleFilter
Array of strings
roleSemantic
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a services resource

Create a services resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A service to create

configs
Array of strings
encryptionRequired
required
boolean

Describes whether connections must support end-to-end encryption on both sides of the connection.

maxIdleTimeMillis
integer
name
required
string
roleAttributes
Array of strings
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

terminatorStrategy
string

Responses

Request samples

Content type
application/json
{
  • "configs": [
    ],
  • "encryptionRequired": true,
  • "maxIdleTimeMillis": 0,
  • "name": "string",
  • "roleAttributes": [
    ],
  • "tags": {
    },
  • "terminatorStrategy": "string"
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single service

Retrieves a single service by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a service

Update all fields on a service by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A service update object

configs
Array of strings
encryptionRequired
boolean

Describes whether connections must support end-to-end encryption on both sides of the connection. Read-only property, set at create.

maxIdleTimeMillis
integer
name
required
string
roleAttributes
Array of strings
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

terminatorStrategy
string

Responses

Request samples

Content type
application/json
{
  • "configs": [
    ],
  • "encryptionRequired": true,
  • "maxIdleTimeMillis": 0,
  • "name": "string",
  • "roleAttributes": [
    ],
  • "tags": {
    },
  • "terminatorStrategy": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a service

Delete a service by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a service

Update the supplied fields on a service. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A service patch object

configs
Array of strings
encryptionRequired
boolean

Describes whether connections must support end-to-end encryption on both sides of the connection. Read-only property, set at create.

maxIdleTimeMillis
integer
name
string
roleAttributes
Array of strings
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

terminatorStrategy
string

Responses

Request samples

Content type
application/json
{
  • "configs": [
    ],
  • "encryptionRequired": true,
  • "maxIdleTimeMillis": 0,
  • "name": "string",
  • "roleAttributes": [
    ],
  • "tags": {
    },
  • "terminatorStrategy": "string"
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

List configs associated to a specific service

Retrieves a list of config resources associated to a specific service; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List accessible edge-routers

Retrieves a list of edge-routers that may be used to access the given service. Supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List identities with access

Retrieves a list of identities that have access to this service. Supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string
policyType
string
Enum: "dial" "bind"

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List service edge router policies that affect a specific service

Retrieves a list of service edge router policy resources that affect a specific service; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List service policies that affect a specific service

Retrieves a list of service policy resources that affect specific service; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

List of terminators assigned to a service

Retrieves a list of terminator resources that are assigned specific service; supports filtering, sorting, and pagination.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Session

List sessions

Retrieves a list of active sessions resources; supports filtering, sorting, and pagination. Requires admin access.

Sessions are tied to an API session and are moved when an API session times out or logs out. Active sessions (i.e. Ziti SDK connected to an edge router) will keep the session and API session marked as active.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Retrieves a single session

Retrieves a single session by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Delete a session

Delete a session by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Retrieves a single session's router path

Retrieves a single session's route path by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Terminator

List terminators

Retrieves a list of terminator resources; supports filtering, sorting, and pagination. Requires admin access.

Authorizations:
ztSessionoauth2
query Parameters
limit
integer
offset
integer
filter
string

Responses

Response samples

Content type
application/json
{
  • "data": [
    ],
  • "meta": {
    }
}

Create a terminator resource

Create a terminator resource. Requires admin access.

Authorizations:
ztSessionoauth2
Request Body schema: application/json

A terminator to create

address
required
string
binding
required
string
cost
integer (terminatorCost) [ 0 .. 65535 ]
identity
string
identitySecret
string <byte>
precedence
string (terminatorPrecedence)
Enum: "default" "required" "failed"
router
required
string
service
required
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "address": "string",
  • "binding": "string",
  • "cost": 65535,
  • "identity": "string",
  • "identitySecret": "string",
  • "precedence": "default",
  • "router": "string",
  • "service": "string",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Retrieves a single terminator

Retrieves a single terminator by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": {
    },
  • "meta": {
    }
}

Update all fields on a terminator

Update all fields on a terminator by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A terminator update object

address
required
string
binding
required
string
cost
integer (terminatorCost) [ 0 .. 65535 ]
precedence
string (terminatorPrecedence)
Enum: "default" "required" "failed"
router
required
string
service
required
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "address": "string",
  • "binding": "string",
  • "cost": 65535,
  • "precedence": "default",
  • "router": "string",
  • "service": "string",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Delete a terminator

Delete a terminator by id. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Responses

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}

Update the supplied fields on a terminator

Update the supplied fields on a terminator. Requires admin access.

Authorizations:
ztSessionoauth2
path Parameters
id
required
string

The id of the requested resource

Request Body schema: application/json

A terminator patch object

address
string
binding
string
cost
integer (terminatorCost) [ 0 .. 65535 ]
precedence
string (terminatorPrecedence)
Enum: "default" "required" "failed"
router
string
service
string
object or null (tags)

A map of user defined fields and values. The values are limited to the following types/values: null, string, boolean

Responses

Request samples

Content type
application/json
{
  • "address": "string",
  • "binding": "string",
  • "cost": 65535,
  • "precedence": "default",
  • "router": "string",
  • "service": "string",
  • "tags": {
    }
}

Response samples

Content type
application/json
{
  • "data": { },
  • "meta": {
    }
}