ZTNA.

APIs.

Using 'API Client key' which is user specific and times out after the 'Session lifetime' defined in the Portal, rather than using API clients with tenant roles assigned.

Create a regular API client in the admin console (either OAuth or long lived token) and assign the relevant roles; once done, use that token in the scripts that do admin operations.

One can still use the "User API client" that is created via the application portal in order to do administrative operations such as list applications, but this would require the user

• Calling the /token endpoint before requesting site details to reuse existing session which avoids re-creating the roles for the session or
• Logging into the ZTNA Portal every 24 hours before running the API calls, to avoid any session failures and resulting internal server errors.

Note that the user is not using api clients in the best way. The user is using a "User API client" that is created via the application portal in order to do administrative operations such as list applications. This type of API client can do admin operations on behalf of the user, but is mainly intended for application access and not administrative operations.

With administrative API clients, the user is using the bearer token that they get from calling /token endpoint and that is valid for few months. With the "User API client", the session is valid for the session lifetime (few hours) so he passes authentication but fails on permission to do the operation.