zscaler · willguibr · Jun 23, 2026 · Jun 23, 2026 · Jun 23, 2026 · Jun 23, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 # Zscaler Python SDK Changelog
 
+## 1.9.32 (June 3, 2026)
+
+### Notes
+
+- Python Versions: **v3.9, v3.10, v3.11, v3.12**
+
+### Enhancements
+
+* [PR #534](https://github.com/zscaler/zscaler-sdk-python/issues/534) - Added OneAPI (Zidentity) support for the government (FedRAMP) clouds. Setting `cloud=gov` or `cloud=govus` on `ZscalerClient` now routes OAuth to the correct Zidentity identity provider (`https://{vanityDomain}.zidentitygov.net` / `https://{vanityDomain}.zidentitygovus.net`) and API calls to the correct gateway (`https://api.zscalergov.net` / `https://api.zscalergov.us`). Previously these clouds produced non-resolvable hostnames and failed on every call. [Issue #526](https://github.com/zscaler/zscaler-sdk-python/issues/526)
+
+### Bug Fixes
+
+* [PR #534](https://github.com/zscaler/zscaler-sdk-python/issues/534) - Fixed ZPA `add_timeout_rule` (v1) so `re_auth_timeout`/`re_auth_idle_timeout` serialize to the API's `reauthTimeout`/`reauthIdleTimeout` keys instead of the rejected `reAuth*` form.
+
 ## 1.9.31 (May 29, 2026)
 
 ### Notes
@@ -21,6 +35,8 @@
 
 * [PR #525](https://github.com/zscaler/zscaler-sdk-python/pull/525) - Fixed resource registration `app_connectors` within the Legacy ZPA Client.
 
+* [Issue #526](https://github.com/zscaler/zscaler-sdk-python/issues/526) - Added OneAPI (Zidentity) support for the government (FedRAMP) clouds. Setting `cloud=gov` or `cloud=govus` on `ZscalerClient` now routes OAuth to the correct Zidentity identity provider (`https://{vanityDomain}.zidentitygov.net` / `https://{vanityDomain}.zidentitygovus.net`) and API calls to the correct gateway (`https://api.zscalergov.net` / `https://api.zscalergov.us`). Previously these clouds produced non-resolvable hostnames and failed on every call.
+
 ## 1.9.30 (May 21, 2026)
 
 ### Notes

diff --git a/README.md b/README.md
@@ -282,7 +282,7 @@ dropdown you will see the newly created Role. In the event a newly created role
 ZIdentity Admin UI a `Sync Now` button is provided in the API Resources menu which will initiate an
 on-demand sync of newly created roles.
 
-**WARNING**: Attention Government customers. OneAPI and Zidentity is not currently supported for the following ZIA clouds: `zscalergov` and `zscalerten` or ZPA `GOV`, and `GOVUS`.
+**NOTE**: Attention Government customers. OneAPI and Zidentity now support the government (FedRAMP) clouds via the unified `cloud=gov` and `cloud=govus` values. See the [OneAPI Government (FedRAMP) Cloud Environments](#oneapi-government-fedramp-cloud-environments) section below for details.
 
 ### Default Environment Variables
 
@@ -319,6 +319,39 @@ export ZSCALER_CLOUD="beta"
 
 **Note 2**: By default this SDK will send the authentication request and subsequent API calls to the default base URL.
 
+### OneAPI Government (FedRAMP) Cloud Environments
+
+OneAPI supports the Zscaler government (FedRAMP) clouds. These are FedRAMP-isolated environments served by a dedicated Zidentity identity provider and API gateway. To authenticate, set the `cloud` attribute (or `ZSCALER_CLOUD` environment variable) to one of the supported government values:
+
+| `cloud` value | OAuth token endpoint | API base URL |
+|---------------|----------------------|--------------|
+| `gov`         | `https://<vanity_domain>.zidentitygov.net/oauth2/v1/token`   | `https://api.zscalergov.net` |
+| `govus`       | `https://<vanity_domain>.zidentitygovus.net/oauth2/v1/token` | `https://api.zscalergov.us`  |
+
+For example, authenticating to the GOV environment:
+
+```sh
+export ZSCALER_VANITY_DOMAIN="acme"
+export ZSCALER_CLOUD="gov"
+```
+
+Or inline in the client configuration:
+
+```py
+from zscaler import ZscalerClient
+
+config = {
+    "clientId": '{yourClientId}',
+    "clientSecret": '{yourClientSecret}',
+    "vanityDomain": '{yourvanityDomain}',
+    "cloud": "gov",  # or "govus"
+    "customerId": "",  # Optional parameter. Required only when using ZPA
+    "logging": {"enabled": False, "verbose": False},
+}
+```
+
+**Note**: The `cloud` value is case-insensitive (`gov`, `GOV`, `govus`, `GOVUS` are all accepted). The `vanityDomain` is still required and is used as the host prefix for the government identity provider.
+
 **Note 3**: Authentication to Zscaler Sandbox requires the attribute/parameter `sandboxCloud`.The following cloud environments are supported:
 
 * `zscaler`

diff --git a/docsrc/conf.py b/docsrc/conf.py
@@ -28,9 +28,9 @@
 html_title = ""
 
 # The short X.Y version
-version = "1.9.31"
+version = "1.9.32"
 # The full version, including alpha/beta/rc tags
-release = "1.9.31"
+release = "1.9.32"
 
 # -- General configuration ---------------------------------------------------
 

diff --git a/docsrc/index.rst b/docsrc/index.rst
@@ -365,6 +365,50 @@ an alternative Zidentity cloud environment.
 **Note 2**: By default this SDK will send the authentication request and
 subsequent API calls to the default base URL.
 
+OneAPI Government (FedRAMP) Cloud Environments
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+OneAPI supports the Zscaler government (FedRAMP) clouds. These are
+FedRAMP-isolated environments served by a dedicated Zidentity identity
+provider and API gateway. To authenticate, set the ``cloud`` attribute
+(or ``ZSCALER_CLOUD`` environment variable) to one of the supported
+government values:
+
++-------------------+---------------------------------------------------------------+------------------------------+
+| ``cloud`` value   | OAuth token endpoint                                          | API base URL                 |
++===================+===============================================================+==============================+
+| ``gov``           | ``https://<vanity_domain>.zidentitygov.net/oauth2/v1/token``  | ``https://api.zscalergov.net`` |
++-------------------+---------------------------------------------------------------+------------------------------+
+| ``govus``         | ``https://<vanity_domain>.zidentitygovus.net/oauth2/v1/token``| ``https://api.zscalergov.us``  |
++-------------------+---------------------------------------------------------------+------------------------------+
+
+For example, authenticating to the GOV environment:
+
+.. code:: sh
+
+   export ZSCALER_VANITY_DOMAIN="acme"
+   export ZSCALER_CLOUD="gov"
+
+Or inline in the client configuration:
+
+.. code:: py
+
+   from zscaler import ZscalerClient
+
+   config = {
+       "clientId": '{yourClientId}',
+       "clientSecret": '{yourClientSecret}',
+       "vanityDomain": '{yourvanityDomain}',
+       "cloud": "gov",  # or "govus"
+       "customerId": "",  # Optional parameter. Required only when using ZPA
+       "logging": {"enabled": False, "verbose": False},
+   }
+
+**Note**: The ``cloud`` value is case-insensitive (``gov``, ``GOV``,
+``govus``, ``GOVUS`` are all accepted). The ``vanityDomain`` is still
+required and is used as the host prefix for the government identity
+provider.
+
 **Note 3**: Authentication to Zscaler Sandbox requires the attribute/parameter `sandboxCloud`.The following cloud environments are supported:
 
 * `zscaler`

diff --git a/docsrc/zs/guides/release_notes.rst b/docsrc/zs/guides/release_notes.rst
@@ -6,6 +6,25 @@ Release Notes
 Zscaler Python SDK Changelog
 ----------------------------
 
+1.9.32 (June 3, 2026)
+---------------------------
+
+Notes
+-------
+
+- Python Versions: **v3.9, v3.10, v3.11, v3.12**
+
+Enhancements
+-------------
+
+* (`Issue #526 <https://github.com/zscaler/zscaler-sdk-python/issues/526>`_) - Added OneAPI (Zidentity) support for the government (FedRAMP) clouds. Setting ``cloud=gov`` or ``cloud=govus`` on ``ZscalerClient`` now routes OAuth to the correct Zidentity identity provider (``https://{vanityDomain}.zidentitygov.net`` / ``https://{vanityDomain}.zidentitygovus.net``) and API calls to the correct gateway (``https://api.zscalergov.net`` / ``https://api.zscalergov.us``). Previously these clouds produced non-resolvable hostnames and failed on every call.
+
+Bug Fixes
+---------
+
+* (`#534 <https://github.com/zscaler/zscaler-sdk-python/pull/534>`_) - Fixed ZPA ``add_timeout_rule`` (v1) so ``re_auth_timeout``/``re_auth_idle_timeout`` serialize to the API's ``reauthTimeout``/``reauthIdleTimeout`` keys instead of the rejected ``reAuth*`` form.
+
+
 1.9.31 (May 29, 2026)
 ---------------------------
 
@@ -31,6 +50,8 @@ Bug Fixes:
 
 `* (`#525 <https://github.com/zscaler/zscaler-sdk-python/pull/525>`_)` - Fixed resource registration `app_connectors` within the Legacy ZPA Client.
 
+* (`Issue #526 <https://github.com/zscaler/zscaler-sdk-python/issues/526>`_) - Added OneAPI (Zidentity) support for the government (FedRAMP) clouds. Setting ``cloud=gov`` or ``cloud=govus`` on ``ZscalerClient`` now routes OAuth to the correct Zidentity identity provider (``https://{vanityDomain}.zidentitygov.net`` / ``https://{vanityDomain}.zidentitygovus.net``) and API calls to the correct gateway (``https://api.zscalergov.net`` / ``https://api.zscalergov.us``). Previously these clouds produced non-resolvable hostnames and failed on every call.
+
 1.9.30 (May 21, 2026)
 ---------------------------