API Authentication

We support the following two methods for API Authentication:

API Authentication with User Credentials

You must authenticate to the Qualys Cloud Platform using Qualys account credentials (user name and password) and get the JSON Web Token (JWT) before you can start using the GAV/CSAM APIs. Use the Qualys Authentication API to get the JWT.

Sample: Example

curl -X POST https://gateway.qg1.apps.qualys.com/auth 
-d "username=value1&password=passwordValue&token=true" 
-H "Content-Type: application/x-www-form-urlencoded"

Here, gateway.qg1.apps.qualys.com is the base URL to the Qualys API server where your account is located.

Username and password are the credentials of the user account for which you want to fetch GAV/CSAM data.
Token should be true.
Content-Type should be "application/x-www-form-urlencoded"

The Authentication API returns a JSON Web Token (JWT) that you can use for authentication during GAV/CSAM calls. The token expires in 4 hours, and you must regenerate it to continue using the GAV/CSAM API.

Passwordless API Authentication

To provide a smooth and seamless API experience, we support the password-less API authentication. Along with traditional authentication method described in API Authentication with User Credentials, you can explore the Identity Provider (IdP) based passwordless API Authentication with its inherent benefits.

We are currently supporting OpenID Connect (OIDC) passwordless API Authentication. To learn more about API Authentication using OIDC, refer to Password-less Authentication using OIDC.